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FOREWORD 


Currently, there is no internationally accepted 
definition of when hostile actions in cyberspace are 
recognized as attacks, let alone acts of war. The goal 
of this monograph is to provide senior policymakers, 
decisionmakers, military leaders, and their respective 
staffs with essential background on this topic as well 
as to introduce an analytical framework for them to 
utilize according to their needs. 

The examination canvasses existing decisionmak- 
ing policies, structures, and influences to provide a 
holistic context for the assessment that extends be- 
yond limits of the legal and technical communities. Its 
approach focuses on the synthesis and integration of 
material from existing experts, deferring the detailed 
analysis to the many published studies. 

Such broad coverage of many complex issues nec- 
essarily requires simplification that may negate cer- 
tain nuances expected by experienced professionals in 
those fields; but it is hoped that readers understand 
these limitations. The purpose is not to prescribe or 
dictate a specific methodology of assessment; rather, 
it is to introduce decisionmakers and their staffs to 
a portfolio of options built around the concepts of 
characterization, assessment criteria, policy consider- 
ations, and courses of action consequences. 
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SUMMARY 


The monograph is comprised of four main sections: 

• Characterization. This section provides the no- 
tional foundation necessary to avoid any devolu- 
tion of the analysis to mere semantic arguments. 
It presents how cyberspace is defined and char- 
acterized for this discussion, as well as how this 
compares to existing concepts of the traditional 
domains of land, sea, air, and space. Also, it iden- 
tifies some of the unique technical challenges 
that the cyberspace domain may introduce into 
the process of distinguishing acts of war. 

• Assessment Criteria. This section explores the 
de jure and the de facto issues involved with as- 
saying cyber incidents to determine if they rep- 
resent aggression and possible use of force; and, 
if so, to what degree? It reviews the traditional 
legal frameworks surrounding military action 
to include the United Nations (UN) Charter and 
the Law of Armed Conflict. It also examines how 
these compare to the recently published Tallinn 
Manual on the International Law Applicable to 
Cyber Warfare. From these sources, it proposes 
a cyberspace incident assessment methodology. 

• Policy Considerations. Having identified viable 
criteria to aid with the assessment of cyber-space 
incidents, this section looks at the policy con- 
siderations associated with applying such prin- 
ciples. First, it examines the relevant U.S. strate- 
gies; next, it investigates the strategies of other 
key countries and international organizations 
and how they compare to U.S. tenets; and finally, 
it evaluates how nonstate actors may affect U.S. 
deliberations. 
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• Courses of Action. This section examines the in- 
fluences that course of action development and 
implementation may have on the assessment of 
cyberspace incidents. It first looks at the Presi- 
dent's role as the primary decisionmaker in U.S. 
national matters regarding cyber-space. It then 
surveys key influences affecting subordinate de- 
cisionmakers and their staffs that may be advis- 
ing the Commander-in-Chief: reliable situational 
awareness, global and domestic environment 
considerations, and options and their related 
risks and potential consequences. 

Any reader expecting a perfect solution for this 
conundrum will be disappointed, as the examination 
is more about the journey than the destination. In the 
end, many of the challenges with this issue are com- 
mon with those of the traditional domains; however, 
the complex and dynamic character of the cyberspace 
domain introduces unique vexations for senior policy- 
makers and decisionmakers. 

The conclusion of this monograph includes rec- 
ommendations that the author hopes will aid in the 
positive evolution toward a better understanding and 
mitigation of the fog and friction surrounding the dis- 
tinction of acts of war in cyberspace. 
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DISTINGUISHING ACTS OF 
WAR IN CYBERSPACE: 
ASSESSMENT CRITERIA, POLICY 

CONSIDERATIONS, 
AND RESPONSE IMPLICATIONS 

Currently, there is no internationally accepted 
definition of when hostile actions in cyberspace are 
recognized as attacks, let alone acts of war. The goal 
of this monograph is to provide senior policymakers, 
decisionmakers, military leaders, and their respec- 
tive staffs with essential background on this topic as 
well as introduce an analytical framework for them 
to utilize according to their needs. The examination 
canvasses existing decisionmaking policies, struc- 
tures, and influences to provide a holistic context for 
the assessment that extends beyond limits of the legal 
and technical communities. Its approach focuses on 
the synthesis and integration of material from existing 
experts, deferring the detailed analysis to the many 
published studies. Such broad coverage of many com- 
plex issues necessarily requires simplification that 
may negate certain nuances expected by experienced 
professionals in those fields. The author respectfully 
requests that readers understand these limitations. 
The purpose is not to prescribe or dictate a specific 
methodology of assessment; rather, it is to introduce 
decisionmakers and their staffs to a portfolio of op- 
tions built around the concepts of characterization, as- 
sessment criteria, policy considerations, and courses 
of action consequences. 
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CHARACTERIZATION 


This section provides the notional foundation for 
the dialogue on this issue necessary to avoid any de- 
volution of the analysis to mere semantic arguments. It 
presents how cyberspace is defined and characterized 
for this discussion, as well as how this compares to ex- 
isting concepts of the traditional domains of land, sea, 
air, and space. Also, it identifies some of the unique 
technical challenges that the cyberspace domain 
may introduce into the process of distinguishing acts 
of war. 

Assessment Context. 

The popular concept of an "act of war" is that of 
a single event or incident of violence and aggression 
that could justifiably drive one nation to legally de- 
clare war on another. In a November 2011 report to 
Congress, the Department of Defense (DoD) termed 
an act of war simply as "an act that may lead to a state 
of ongoing hostilities or armed conflict,"^ and it is this 
definition that is used for this monograph. 

Acts of War and the Military Domains. 

On October 11, 2012, then Secretary of Defense 
Leon Panetta warned of a possible "cyber Pearl Har- 
bor" during a speech in New York City, repeating a 
warning that has floated around the Washington, 
DC, area from more than 2 decades. In reporting this 
event, a Washington Post article asserted that "we all 
know what an act of war looks like on land or sea," 
implying that distinguishing acts of war in the tra- 
ditional domains is a simple matter. Certainly, there 
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are clear cut historical examples such as Pearl Harbor 
(for the air and sea domains) and the 1990 invasion 
of Kuwait by Iraq (for the land domain) that would 
support this view. But what other, perhaps lesser, ac- 
tions by one nation against another constitute acts of 
war? What are the thresholds of force and violence for 
this distinction, and are they universally recognized? 
The same article later concedes that "deciding what 
amounts to an act of war is more a political judgment 
than a military or legal one" and noted incidents such 
as the 1979 attack and seizure of the U.S. Embassy in 
Tehran did not cause the United States to go to war.^ 
Noted author Thomas Rid observes that this is consis- 
tent with the Clausewitzian concept of war as a con- 
tinuation of politics by other means and he posits that 
"any act of war has to have the potential to be lethal; 
it has to be instrumental [i.e., have clear means and 
ends]; and it has to be political."^ 

For the time being, let us assume we can distin- 
guish acts of war in cyberspace using the same criteria 
and analysis used to determine war in the traditional 
domains. How do we characterize this new domain? 
A simplified model of cyberspace offered by informa- 
tion warfare expert Dr. Dan Kuehl consists of three el- 
ements: information content, electromagnetic connec- 
tivity, and human cognition.^ Recent Army conceptual 
models follow parallel logic in their three layers: the 
Physical Layer (geographic components and physi- 
cal network components); the Logical Layer (logical 
network components), and the Social Layer (persona 
components and cyber persona components).^ One 
could argue from these models that the domain of cy- 
berspace has existed in war for well over a century (for 
example, consider the use of telegraphs in the Civil 
War). Over the last 50 years, the content and connec- 
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tivity elements of cyberspace have been transformed 
with the introduction of electronic transistor-based 
data processing devices. Hence, this monograph will 
focus on the modern incarnation of cyberspace cre- 
ated largely by the convergence of three events — the 
introduction of the personal computer (circa 1975), the 
Internet (circa 1982), and the worldwide web protocol 
(circa 1989).^ 

For practical discussion of military matters, let us 
use the current joint staff definition of cyberspace as: 

a global domain within the information environment 
consisting of the interdependent network of informa- 
tion technology infrastructures and resident data, in- 
cluding the Internet, telecommunications networks, 
computer systems, and embedded processors and 
controllers/ 

Note that this definition emphasizes the content and 
connectivity portions of the Kuehl model (i.e., the 
information technology aspects), but fails to include 
any mention of cognition.® Also, this definition is un- 
clear regarding the roles of the electromagnetic (EM) 
spectrum and electronic warfare (EW) within the 
cyberspace domain. There are still doctrinal debates 
and differences among service components regard- 
ing the relationship.'' With this definition of cyber- 
space in hand, let us now consider how conflict may 
manifest there. 

Conflict in Modern Cyberspace. 

Secretary Panetta's remarks in October 2012 reit- 
erated some themes of his testimony before the Sen- 
ate Armed Service Committee in March 2011. In fact, 
his statement that "the next Pearl Harbor we confront 
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could very well be a cyber-attack" caught the atten- 
tion of the committee chairman and ranking member. 
They reminded the Secretary of several key issues 
that needed to be resolved to comply with legislative 
provisions: 

During the Committee's examination of the proposal 
to establish U.S. Cyber Command as a sub-unified 
command under U.S. Strategic Command, it became 
evident that a number of critical questions with re- 
spect to legal authorities and policy would need to be 
resolved, including the relationship between military 
operations in cyberspace and kinetic operations; the 
development of a declaratory deterrence posture for 
cyberspace; the necessity of preserving the President's 
freedom of action in crises and confrontations in the 
face of severe vulnerabilities in the Nation's critical in- 
frastructure; the rules of engagement for commanders; 
the definition of what would constitute an act of war 
in cyberspace; and what constitutes the use of force for 
the purpose of complying with the War Powers Act.^° 

Further, they clarified that the recent DoD efforts did 
not fulfill their expectations: 

Despite the release last week [July 14, 2012] of the 
"Department of Defense Strategy for Operating in Cy- 
berspace," the requirements of Section 934 [of Senate 
report] . . . remain unmet. The continued failure to ad- 
dress and define the policies and legal authorities nec- 
essary for the Pentagon to operate in the cyberspace 
domain remains a significant gap in our national secu- 
rity that must be addressed." 

The content and scope of the committee's questions 
demonstrate that its interest is not limited merely to 
what and how military forces operate in cyberspace. 
Rather, the committee is also concerned with how 
these operations integrate with existing U.S. policy, as 
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well as executive guidance and direction. Thus, while 
considering cyberspace as a domain may be sufficient 
for analyzing warfighting issues, a broader construct 
of cyberspace is necessary to include other elements of 
national power. Admiral Arthur Cebrowski, the DoD 
transformation lead under Secretary of Defense Don- 
ald Rumsfeld, offered a view of cyberspace as "a new 
strategic common, analogous to the sea as an interna- 
tional domain of trade and communication."^- This 
more holistic definition includes not only military forc- 
es but also the national elements of diplomacy, infor- 
mation, and economy. Kuehl developed this concept 
further and termed its aggregate as "cyberpower," 
which he defined as "the ability to use cyberspace to 
create advantages and influence events in all the op- 
erational environments and across the instruments of 
power."" 

How has conflict revealed itself during the first 25 
years of modern cyberspace? Jason Healey, director 
of the Atlantic Council's Cyber Statecraft Initiative, 
contends that there is already a rich history of cyber 
conflict in the last quarter century with significant his- 
torical lessons that can be applied to future activities. 
Consistent with the commons paradigm of cyber pow- 
er, he notes that "the more strategically significant the 
cyber conflict, the more similar it is to conflicts on the 
land, in the air, and on the sea," with the interesting 
caveat that "governments rarely play a central role in 
mitigating them." Despite this assertion, he depicts 
that modern cyber conflict entered its current phase 
of militarization in 2003 with well-documented cases 
such as Estonia {2007^ Georgia (2008),i^ and BUCK- 
SHOT YANKEE (2008),!^ among many others. More 
importantly, he predicts that future trends are toward 
more destructive cyber conflicts with more disruptive, 
covert, and offensive cyber operations. 
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Warfare including Cyberspace versus Cyberspace War 
(or Cyber War). 

Accepting that the potential for cyber attack among 
nations is increasing, is the concern over a devastat- 
ing surprise attack in or through cyberspace vahd? A 
review of Uterature over the past few years reveals a 
dialectic of views among authors. The popular thesis 
is that cyber war will definitely occur, supported by 
such writers as Richard Clarke and John Stone, versus 
an antithesis that cyber war will not occur, espoused 
with some controversy by Rid.^* Rid clarifies his argu- 
ment by focusing on the enduring and evolving nature 
of war, asserting that "not one single cyber offense on 
record constitutes an act of war on its own [emphasis 
added]," and further contends that the incidents of 
sabotage, espionage, and subversion using cyberspace 
are "sophisticated versions of three activities that are 
as old as warfare itself."^'' 

In practical terms, one can argue that preparing for 
cataclysmic attack conducted solely through cyber- 
space—popularly coined cyber war — represents the 
worst case for planning and that a force organized and 
prepared to handle such an event could also mitigate 
any lesser events. The more likely cases involve in- 
corporation of cyberspace activities into existing joint 
force operations, that is, the evolutionary integration 
of cyberspace warfare with the established land, sea, 
and air warfare. This concept is consistent with the 
current joint doctrine definition of cyberspace opera- 
tions as "the employment of cyberspace capabilities 
where the primary purpose is to achieve objectives in 
or through cyberspace."^" What are some unique chal- 
lenges of incorporating cyberspace into the conven- 
tional aspects of warfare? 
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Technical Challenges. 

This section focuses on some of the exceptional 
tactical concepts of cyberspace operations that may 
present technical challenges to planners and warfight- 
ers. The purpose is not to investigate these matters 
in detail, but rather to provide an appreciation and 
proper foundation to support subsequent analysis for 
strategic decisionmakers. 

Methods, Targets, Effects, and Intentions. 

Traditional military operations involve the appli- 
cation of kinetic force to produce kinetic effects that 
can be directly observed in the physical environment, 
such as a bullet or bomb hitting a target. In contrast, 
cyberspace operations use nonkinetic means of ex- 
changing coded information using the electromag- 
netic spectrum at levels well below that of human per- 
ception to produce nonkinetic or kinetic effects. The 
practitioners in cyberspace ("cyber warriors") have 
both common core competencies, as well as special- 
ized skill areas that may be task organized to accom- 
plish objectives.^^ Some of the promised advantages 
of cyberspace operations are that they can be direct, 
immediate, and predictable in method and effect. 
However, since the cyberspace domain is much more 
dynamic in its content and structure than the tradi- 
tional domains, these promises are often not realized. 
Targets and their lines of approach in cyberspace are 
not static and may depend on multiple pivot points 
in networks to be compliant in the passage of the cy- 
ber payload.^' However, the actual path of the elec- 
tronic package may change by the re-routing of data 
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to compensate for failed network servers or possible 
intentional interference.^'' Once delivered, the code 
may cause immediate collateral damage as well as 
nth-order effects beyond the intentions of its design- 
ers. For example, the software weapon called Stuxnet 
is often touted as the epitome of precise delivery of 
cyberspace effects, allegedly zeroing in on unique in- 
dustrial control devices in Iranian nuclear refinement 
facilities. But in reality, less than 2 years after the at- 
tack, software security corporation Symantec reported 
that the malware had spread to over 100,000 hosts in 
over 25 countries, including the United States.^'' 

Attribution: Tactical and Strategic. 

One of the most difficult challenges in cyberspace 
operations is the timely and accurate attribution of 
their means and source. At the tactical level, if damage 
or other negative effects to some system are discov- 
ered, one must determine if the effects were caused 
by cyber means. Often, the effects themselves may not 
be discovered for days or weeks, thus making the fo- 
rensics more difficult, as many other factors may have 
influenced the same system in the interim. Without 
delving into technical digressions, suffice it to say that 
merely discovering the effects and root cause of a cy- 
ber attack is not a trivial affair. 

But even if the mechanics of determining the ef- 
fects and causes are perfected, there remains a chal- 
lenge of determining the source and intentions of the 
attack. Even in the land domain, this may be a chal- 
lenge. Consider a vignette where the president of 
country A is shot by a uniformed sniper in the army of 
country B. On the surface, it may be very simple — di- 
rect effects and clear identities of aggressor and target. 
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However, attribution quickly becomes complicated if 
the vignette occurred during the visit of the president 
to country C with the sniper, a dual citizen of coun- 
tries A and E, shooting across a river from country D. 
Given these further stipulations, who does country A 
hold accountable for this violent act? 

In cyberspace, attribution can have such levels of 
intricacy as attacks may be directed through multiple 
persona using multiple computers connected by mul- 
tiple networks residing in multiple countries. Given 
this thorny mix of possibilities, how can strategic de- 
cisionmakers ensure they are receiving the proper and 
sufficient foundation of situational understanding by 
which to determine and judge appropriate responses? 
Waxman offers three questions to help assess the reli- 
ability of attribution: 

What level of certainty is sufficient from an intel- 
ligence perspective to convince policy-makers as to 
the perpetrator? What level is sufficient to satisfy the 
legal requirements of self-defense? And what level 
is demonstrable publicly (or perhaps privately when 
necessary) to attain diplomatic and political support 
for responses?^*" 

Applying this model of technical-legal-political at- 
tribution requires a balanced approach to prevent each 
of the communities involved from following their fa- 
vorite rabbit hole. Healey advances that "the interna- 
tional security community must focus on the policy- 
makers' warning that too much time has been wasted 
obsessing over which particulate villain pressed the 
ENTER key." He further refines this concept to a pro- 
posed spectrum of state responsibility for cyber attack 
that ranges in 10 steps from state-prohibited to state- 
integrated. To illustrate this, he observes that analysts 


10 


were successful in tracing elements of the 2007 Estonia 
incident back to 178 countries, including the United 
States. However, this impressive technical tracking 
of "cyber stones" being thrown from numerous lo- 
cations detracted from efforts of Western authorities 
to engage the likely culprit (Moscow). In later writ- 
ing, Healey develops 14 criteria for analyzing nation 
responsibility for cyber attacks: 

• Attack traced to a nation? 

• Attack traced to a state organization? 

• Attack written or coordinated in national lan- 
guage? 

• State control over the Internet? 

• More technical sophistication than normal? 

• More targeting sophistication than normal? 

• Little popular anger at target? 

• No direct commercial benefits? 

• Direct support of hackers? 

• Attack correlated with public statements? 

• Lack of state cooperation during investigation? 

• Attack correlated with specific national policy? 

• Cui bono (who benefits)? 

• Attack strongly correlated or even integrated 
with physical force? 

We will discuss these in concert with existing in- 
ternational legal frameworks in the Assessment Crite- 
ria section of this monograph. 

Speed, Perception, and Complexity - the Role of Chance. 

In testimonies before a congressional committee. 
General Keith Alexander, former Commander, U.S. 
Cyber Command, stated that the U.S. military needs 
a "pro-active, agile cyber force that can 'maneuver' 
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in cyberspace at the speed of the Internet" and men- 
tioned that the interagency and international exercise 
Cyber Flag "introduced new capabilities to enable 
dynamic and interactive force-on-force maneuvers at 
net-speed."^^ The speeds of weapon systems move- 
ment and tempo of operations are essential consider- 
ations for military planners and commanders. How 
the "speed of cyber" compares to activities in other 
operational domains should be of interest to modern 
military decisionmakers. 

Although there are many ways to depict this, Fig- 
ure 1 illustrates typical speeds of executing opera- 
tions in each domain versus the distance traveled in 
the domain in 20 milliseconds, which is the average 
time for an information payload to transverse to an 
Internet node halfway around the world and return. 
Each axis of the graphic is logarithmic, which means 
that each mark on the axis is an order of magnitude 
greater than the previous mark. Examining this, one 
can see that cyberspace operations occur in a realm of 
speed that is over 20,000 times faster than operations 
in the space domain; over 200,000 times faster than the 
air domain, and 10 million times faster than the land 
and sea domains. Why is this significant? Granted, 
the manifestation of any kinetic effects in the physical 
world will propagate at about the same rate indepen- 
dent of the method of delivery. But the increased pace 
of cyberspace activities means that a weaponized soft- 
ware payload may be delivered on target in less time 
than your brain can perceive the visual content of this 
page. In the time it takes for a trained mind to compre- 
hend it as a potential threat, there may be numerous 
cycles of cyber fires and maneuver. These factors may 
reduce the time frame for the observe-orient-decide- 
act (OODA) loop for tactical operators to a realm that 
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may be described as ultra-tactical.^° Such cyber war- 
fare exchanges may create even larger problems for 
military operations requiring permissions and author- 
ities of higher headquarters. 
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Figure 1: A Comparison of Operational Speed and 
Distance in Military Domains. 

The dynamic nature of cyberspace adds more con- 
ceptual hurdles for decisionmakers trying to make 
sense of activities. The cyberspace domain can be 
modeled as a complex adaptive system— a system of 
systems with a complex macroscopic collection of sim- 
ilar and partially connected microstructures formed to 
adapt to a changing environment.^^ The intricate inter- 
actions within such systems may lead to spontaneous 
self-organization and synchronization that produce 
emergent and unanticipated macroscopic behavior. 
Such behavior may be exacerbated when there is a 
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high degree of homogeneity and integration in micro- 
scopic structures, such as the widespread use of stan- 
dard operating systems. A controversial report on 
Microsoft in 2003 posited that use of a "single domi- 
nant operating system in the hands of all end users 
is inherently dangerous."''^ To facilitate that full range 
of operations for U.S. Cyber Command, the Defense 
Information Systems Agency (DISA) is developing the 
Joint Information Environment with enterprise-wide 
architectures and standardized identity and access 
management.^* While this may enhance the capability 
of cyberspace operations, it may be prudent to realize 
that these same characteristics also increase the pros- 
pect of emergent behavior in the warfighter opera- 
tions, perhaps initiated by natural phenomena such 
as geomagnetic storms. Thus, planners should realize 
that any cyber weapon must traverse an ever-chang- 
ing terrain to deliver its payload, and that its effects 
may trigger mechanisms in the domain that produce 
emergent events that are unpredictable, and possibly 
undesirable, in consequence and severity. 

Clearly, the result of the combined aspects of 
speed, perception limitation, and system complexity 
may have far-reaching implications for the reliability 
of information presented to support decisionmaking 
in the cyberspace domain. In the traditional Clause- 
witzian trinity, such operations gravitate toward the 
"chance" apex with normal and emergent cyberspace 
activity (e.g., Internet activities), enabling the spread 
of "cyber fog and friction." But is such drastic behav- 
ior of a system realistic or mere theory? Consider the 
recent events of April 23, 2013, where automated trad- 
ing algorithms on Wall Street triggered a temporary 
drop of 130 points (worth approximately $134 billion) 
based on false information from a hacked Associ- 
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ated Press Twitter account. The Tweet indicated that 
President Barack Obama had been injured in an explo- 
sion at the White House. What if a similar emergent 
event occurred in a military cyberspace common op- 
erational picture? Imagine what could happen if the 
physical or cyber equivalent of the May 2013 missile 
tests by North Korea^'^ were monitored as indicators in 
an attack assessment system. What if a natural event 
akin to the February 2013 Chelyabinsk meteor^^ re- 
leased mega-tonnage of blast effects near any of the 
missile impact zones — how would this be assessed 
and reported by the system? What criteria would se- 
nior decisionmakers use to determine if an attack had 
occurred? 

ASSESSMENT CRITERIA 

The section explores the de jure and the de facto 
issues involved with assaying cyber incidents to de- 
termine if they represent aggression and possible use 
of force; and if so, to what degree? At this point, we 
will assume for the purpose of this monograph that 
the information gathered regarding a potential nega- 
tive incident in cyberspace is fully accurate. Certainly, 
this is not a trivial task, but once the information is 
received, evaluated, and passed to the proper authori- 
ties — what happens next? What criteria may they use 
to determine the severity of the incident as well as the 
appropriateness, necessity, and urgency to respond? 

Legal Frameworks. 

The purpose here is to describe what exists in in- 
ternational law regarding cyberspace activities and to 
establish a foundation for criteria contained therein; it 
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will not discuss any issues regarding legal adequacy. 
Readers interested in a more detailed analysis should 
explore some of the seminal works in this field by 
experts like Walter Gary Sharp, Sr., and Thomas C. 
Wingfield.^^ 

United Nations Charter. 

There are many publications that delve into the de- 
tails of how the existing Charter of the United Nations 
(UN) may apply to activities in cyberspace among 
sovereign nations. Most focus on the following ar- 
ticles of the charter when addressing this issue^^ (see 
Appendix 1 for the full text of these articles): 

• Article 2(1): Establishes "the principle of sover- 
eign equality" for member countries. 

• Article 2(4): Requires members to "refrain in 
their international relations from the threat or 
use of force" in ways not consistent with the 
purposes of the UN. 

• Article 25: Requires members "to accept and 
carry out the decisions of the Security Council." 

• Article 39: Establishes that "the Security Coun- 
cil shall determine the existence of any threat to 
the peace, breach of the peace, or act of aggres- 
sion" and make recommendations or decide 
measures accordingly. 

• Article 41: Establishes that the Security Council 
may decide what measures not involving uses 
of armed force can be "employed to give effect 
to its decisions." 

• Article 42: Stipulates that if measures under 
Article 41 are inadequate, the Security Council 
can escalate to the use of air, sea, or land forces 
"as may be necessary to maintain or restore in- 
ternational peace and security." 
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Article 51: Establishes "the inherent right of in- 
dividual or collective self-defense if an armed 
attack occurs." 


In March 2014 testimony to Congress as part of his 
nomination process for command of U.S. Cyber Com- 
mand, Vice Admiral Michael Rogers summed up the 
DoD policy regarding the UN principles as follows: 

As a matter of law, DoD believes that what consti- 
tutes a use of force in cyberspace is the same for all 
nations, and that our activities in cyberspace would be 
governed by Article 2(4) of the U.N. Charter the same 
way that other nations would be. With that said, there 
is no international consensus on the precise definition 
of a use of force, in or out of cyberspace. Thus, it is 
likely that other nations will assert and apply different 
definitions and thresholds for what constitutes a use 
of force in cyberspace, and will continue to do so for 
the foreseeable future.*" 


In other words, the language contained in the UN 
Charter may be interpreted differently for specific 
circumstances due to cultural and political factors. 
As witnessed in the evolving situation in the Crime- 
an Peninsula, any such incongruity is not unique to 
matters in cyberspace.*^ A significant dynamic in UN 
affairs that may impact cyberspace matters is the per- 
manent membership of the United States, Russia, and 
China on the Security Council, which permits each to 
have veto power in that forum. 

The provisos of the UN Charter include a spectrum 
of hostile activities among members that include (in 
increasing order of violence): use of force, threat to the 
peace, breach of the peace, act of aggression, armed 
attack, and armed conflict. While "act of war" is not 
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defined within the charter, activities of armed conflict 
conducted by an aggressor member against a victim 
member could serve as an implicit definition. But how 
does one evaluate whether an act of aggression in cy- 
berspace is an attack? In 1999, renowned military legal 
expert Michael Schmitt proposed seven factors that 
countries could use as criteria to determine whether 
specific cyberspace operations amounted to a use of 
force, or more. These factors, commonly referred to as 
the "Schmitt criteria" are severity, immediacy, direct- 
ness, invasiveness, measurability, presumptive legiti- 
macy, and responsibility.*^ 

Collective Defense Agreements. 

In general terms, the UN recognizes the menace to 
international peace posed by cyber attacks, and it pro- 
mulgates cooperative activities among member coun- 
tries to address such threats. UN Secretary-General 
Ban Ki-moon summarized this view in his remarks 
to the Seoul Conference on Cyberspace, Seoul, Korea, 
October 17, 2013: 

Cyberattacks have the potential to destabilize on a 
global scale. Cybersecurity must therefore be a matter 
of global concern. We need to work together to bol- 
ster confidence in our networks, which are central to 
international commerce and governance. We need to 
strengthen national legislation, push for international 
frameworks for collaboration and adopt the necessary 
means to detect and defuse cyber threats (available 
from iviviv. un.org/sg/statements/index.asp ?nid= 7209) . 

In more specific terms, UN Article 51 provides 
for collective self-defense if an armed attack occurs. 
Of course, the North Atlantic Treaty Organization 
(NATO) is one of the most important collective de- 
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fense agreements for the United States. The NATO 
Strategic Concept from its 2010 Lisbon conference elu- 
cidated that collective cyber defense among its mem- 
bers applies not only to kinetic but also to cyber activi- 
ties as part of the "full range of capabilities necessary 
to deter and defend against any threat to the safety 
and security of our populations." Further, the concept 
calls for NATO members to: 


Develop further our ability to prevent, detect, defend 
against and recover from cyber-attacks, including by 
using the NATO planning process to enhance and co- 
ordinate national cyber-defence capabilities, bringing 
all NATO bodies under centralized cyber protection, 
and better integrating NATO cyber awareness, warn- 
ing and response with member nations.*^ 

This is an important extension of traditional NATO 
obligations, and it was driven by such events as the 
April-May 2007 cyber attacks on Estonia. Historians 
and analysts note that NATO collective defense mea- 
sures were not initiated during this crisis, mainly be- 
cause NATO had not yet defined cyber attack as a clear 
military action.^* However, with the increased scope 
of NATO activities, the United States must include the 
stipulations of NATO Articles 4 and 5 (see Appendix 
1) in its criteria for assessing potential attacks in or 
through cyberspace. One proposed NATO cyber early 
warning framework emphasizes the examination of 
purpose, target, context, and scale to help differenti- 
ate tactical from strategic cyber attack.*^ 

Law of Armed Conflict. 

Although this monograph is not designed to devel- 
op responses to cyber attacks, it is important to consid- 
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er the potential follow-on consequences to classifying 
an incident as an act of war. If the United States seeks 
a military response to such an incident, then it enters 
into the regime of international rules that help to de- 
fine acceptable measures. Central among these is the 
Law of Armed Conflict (LOAC), which is built upon 
four principles to ensure that jus in hello is legal and 
moral: military necessity, distinction (or discrimina- 
tion), proportionality, and unnecessary suffering (or 
humanity). While there are many LOAC-related trea- 
ties in force today, most have their foundation in the 
"Hague Tradition" of regulating the means and meth- 
ods of warfare and the "Geneva Tradition" regarding 
the respect and protection of victims of warfare.*^ 

Several authors have studied possible interpreta- 
tion of LOAC applied to cyberspace activities in con- 
cept as well as case studies.*^ The U.S. Air Force has 
codified this concept in part by requiring legal review 
for use of cyber capabilities. This review includes an 
examination of the concept of operation and the rea- 
sonably anticipated effects of employment as well as 
any specific rules of law that prohibit or restrict its 
use. Further, if there is no explicit prohibition, two 
additional questions are considered regarding the 
possibility of superfluous injury and the potential for 
the capability to be directed against a specific military 
objective.^* Such efforts will remain a work in progress 
as operations in the cyberspace domain continue to be 
integrated into joint military operations. 

Pictet Criteria for Armed Attack. 

Many legal scholars posit that criteria developed 
by Jean Pictet to examine if actions can be interpreted 
as armed conflict under the 1949 Geneva Conventions 
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may also be applied to cyberspace. Specifically, Pictet 
considered the scope, duration, and intensity of a use 
of force to see if the aggregate was sufficient to be 
considered an armed attack. While elegant in its sim- 
plicity, these criteria require additional context to be 
practical for cyberspace applications. David Graham, 
Executive Director of The Judge Advocate General's 
Legal Center and School, identifies three analytical 
frameworks to facilitate this process. The first is an "in- 
strument-based approach," which considers whether 
the damage resulting from a cyber attack could previ- 
ously have been achieved only by kinetic means. The 
second framework is an "effects-based approach," of- 
ten called "consequence-based model," which focuses 
on the overall effect of the attack on the victim states 
without comparison to kinetic means. Graham posits 
that this is the model adopted by the United States. 
The third framework is the "strict liability approach," 
which simply regards any cyber attack against criti- 
cal national infrastructure as an armed attack. For the 
United States, applicable targets would be systems 
defined in the Critical Infrastructure Protection Act of 
2001. Graham notes that while there is some debate 
as to which should be the preferred model, "propo- 
nents of all three approaches agree on the singularly 
important conclusion that cyber attacks can constitute 
armed attacks. "^"^ 

The Tallinn Manual. 

History and Purpose. 

In 2009, a group was organized by the NATO Co- 
operative Cyber Defence Centre of Excellence (CCD- 
COE) to undertake "an expert-driven process de- 
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signed to produce a non-binding document applying 
existing law to cyber warfare." This assemblage of 46 
participants included international legal and techni- 
cal experts, as well as observers from NATO's Allied 
Command Transformation, the International Com- 
mittee of the Red Cross, and U.S. Cyber Command. 
Developed over 3 years, the primary end product of 
their collective effort is the Tallinn Manual on the Inter- 
national Law Applicable to Cyber Warfare.^" 

This extensive study faced many challenges, 
among which was the realization that views on the 
subject ranged from one where cyber warfare must 
follow strict LOAC compliance to the more liberal po- 
sition that, whatever is not specifically forbidden by 
law, is generally permitted. The findings of this thor- 
ough examination are expressed in 95 rules within 
seven chapters that are divided into two major parts: 
"States and cyberspace" and "The law of cyber armed 
conflict." The group's analyses addressed applying 
jus ad bellum and jus in bello principles to cyber war- 
fare, with emphasis on cyber-to-cyber operations. The 
group readily acknowledges that its discussions often 
drew upon content from the military manuals of Can- 
ada, Germany, the United Kingdom, and the United 
States. In contrast, the group did not intend their work 
to produce a manual on the holistic aspects of cyber 
security and thus did not address cyber activities be- 
low the level of "use of force," such as cyber crime, 
espionage, national law, or domestic legislation. Con- 
tent was reached by consensus among the group, not 
through full unanimity. 
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Schmitt-Tallinn Criteria for Use of Force. 

Tallinn Manual Chapter 2, "The Use of Force," in- 
cludes Rules 10 through 19, many of which align with 
existing international convention. Specifically, Rule 13, 
"Self-defense against armed attack"; Rule 16, "Collec- 
tive self-defense"; and Rule 17, "Reporting measures 
of self-defense" include references to UN Article 51. 
Also, Rule 18, "United Nations Security Council" and 
Rule 19, "Regional organizations" discuss UN Articles 
39, 41, 42, and 52. But it is Rule 11, "Definition of use 
of force," that refines and expands the Schmitt criteria 
to a list of eight factors: severity, immediacy, direct- 
ness, invasiveness, measurability of effects, military 
character, state involvement, and presumptive legiti- 
macy (see Appendix 2 for illustrative questions). But 
the team offers these criteria with strict caveats: 


The approach focuses on both the level of harm in- 
flicted and certain qualitative elements of a particular 
cyber operation. In great part, it is intended to iden- 
tify cyber operations that are analogous to other non- 
kinetic or kinetic actions that the international com- 
munity would describe as uses of force... It must be 
emphasized that they are merely factors that influence 
States making use of force assessments; they are not 
formal legal criteria.^^ 


The text also points out that neither the UN Char- 
ter nor any other authoritative source provides a defi- 
nition of "use of force," let alone any criteria for its 
assessment. Perhaps these factors can be best utilized 
in combination with other criteria. 
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spectrum of Force. 

The paradigms and philosophies regarding the as- 
sociation of cyber warfare with existing international 
norms discussed in this section have slightly differ- 
ent foci. Figure 2 illustrates how all these different 
factors and criteria may be conceptually integrated 
to provide a more holistic assessment to determine 
how cyberspace incidents may be assessed as well as 
if a military response might be considered. It is not 
intended to be a rigid checklist or flowchart; rather, it 
is envisioned to serve as a starting point for staffs and 
decisionmakers to modify for their own utilization. It 
depicts increasing levels of the use of force peaking at 
armed conflict as assessments gravitate homjus ad hel- 
ium tenets, which help guide incident analyses, to jus 
in hello tenets, which help guide selection of the means 
of any military response. 

Again, the chart is not meant to be linear or se- 
quential. Incidents judged to be armed attack may 
prompt a state to pursue UN Article 51 and NATO 
Article 4 actions directly, as well as to move toward a 
rapid military response that meets LOAC principles. 
Of course, such assessments will be most effective 
when they occur in the context of informed interna- 
tional situational awareness. To aid decisionmakers in 
this process, let us now examine such considerations. 

POLICY CONSIDERATIONS 

Having identified viable criteria to aid with the 
assessment of cyberspace incidents, let us now look 
at the policy considerations associated with applying 
such principles. 
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Cyberspace Incident Assessment Frameworks 
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Figure 2. A Cyberspace Incident Assessment 
Methodology. 
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This section first examines the relevant U.S. strat- 
egies; next, it investigates the strategies of other key 
countries and international organizations and how 
they compare to U.S. tenets; and finally, it evaluates 
how nonstate actors may affect U.S. deliberations. 

Cyberspace in U.S. Strategies. 

How should a government approach the prospect 
of waging cyberspace related warfare? What ends, 
ways, and means are required, and how are they 
crafted together? Kuehl offers a concept of "cyber 
strategy" as: 

the development and employment of capabilities to 
operate in cyberspace, integrated and coordinated 
with the other operational realms, to achieve or sup- 
port the achievement of objectives across the elements 
of national power in support of national security 
strategy.^^ 

Let us examine some of the factors and unique 
challenges of developing and implementing such a 
strategy for the United States. 

National Security Strategy. 

In his May 2010 National Security Strategy, President 
Obama divides the pursuit of U.S. enduring national 
interests into four areas: security, prosperity, values, 
and international order. The theme of the increas- 
ing U.S. reliance on cyberspace in all of these areas 
is woven throughout the document, but two subsec- 
tions are of particular interest to our discourse — Use 
of Force and Secure Cyberspace. In the text, the use of 
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force is tied directly to military force "to defend our 
country and allies or to preserve broader peace and 
security," with the clarifications that such force will 
not necessarily be the first or only option and that cy- 
ber is a domain for military action: 

This means credibly underwriting U.S. defense com- 
mitments with tailored approaches to deterrence and 
ensuring the U.S. military continues to have the nec- 
essary capabilities across all domains — land, air, sea, 
space, and cyber. It also includes helping our allies 
and partners build capacity to fulfill their responsibili- 
ties to contribute to regional and global security. 

Clearly, the tenet of seeking broad international 
support for U.S. military action is included with spe- 
cific mentions of working with NATO and the UN 
Security Council. But the section closes with the re- 
minder that "the United States must reserve the right 
to act unilaterally if necessary to defend our nation 
and our interests."^* 

In contrast, the Secure Cyberspace subsection de- 
lineates threats in other areas of security separate from 
those involving direct military operations. In broader 
terms, it states that "Cybersecurity threats represent 
one of the most serious national security, public safety, 
and economic challenges we face as a nation," and that 
these threats "range from individual criminal hackers 
to organized criminal groups, from terrorist networks 
to advanced nation states." Two overarching ways are 
put forth to mitigate these risks: Investing in People 
and Technology, and Strengthening Partnership. For 
the latter, the strategy affirms that the United States: 
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will also strengthen our international partnerships on 
a range of issues, including the development of norms 
for acceptable conduct in cyberspace; laws concerning 
cybercrime; data preservation, protection, and priva- 
cy; and approaches for network defense and response 
to cyber attacks. 

U.S. International Strategy. 

The May 2011 International Strategy for Cyberspace: 
Prosperity, Security, and Openness in a Networked World 
refined much of the cyberspace related vision of the 
National Security Strategy. It is geared toward a more 
holistic view of cyberspace captured in seven policy 
priorities: economy, network protection, law enforce- 
ment, Internet governance, Internet freedom, interna- 
tional development, and military. The envisioned U.S. 
role in cyberspace's future is threefold: diplomacy, 
defense, and development. In the context of this strat- 
egy, the broad goal of defense involves dissuading 
and deterring all types of threats: 

The United States will defend its networks, whether 
the threat comes from terrorists, cybercriminals, or 
states and their proxies. Just as importantly, we will 
seek to encourage good actors and dissuade and deter 
those who threaten peace and stability through actions 
in cyberspace. We will do so with overlapping policies 
that combine national and international network resil- 
ience with vigilance and a range of credible response 
options. In all our defense endeavors, we will protect 
civil liberties and privacy in accordance with our laws 
and principles.^'' 

However, as the text focuses on implicit threat to 
peace and uses of force, the strategy minces no words 
in its de facto declaratory statement: 
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When warranted, the United States will respond to 
hostile acts in cyberspace as we would to any other 
threat to our country. All states possess an inherent 
right to self-defense, and we recognize that certain 
hostile acts conducted through cyberspace could com- 
pel actions under the commitments we have with our 
military treaty partners. We reserve the right to use 
all necessary means — diplomatic, informational, mili- 
tary, and economic — as appropriate and consistent 
with applicable international law, in order to defend 
our Nation, our allies, our partners, and our interests. 
In so doing, we will exhaust all options before military 
force whenever we can; will carefully weigh the costs 
and risks of action against the costs of inaction; and 
will act in a way that reflects our values and strength- 
ens our legitimacy, seeking broad international sup- 
port whenever possible. 


This passage provides the utiHty of being purpose- 
fully vague to allow flexibility in response options and 
avoids establishing any discrete red lines that may un- 
dermine effective deterrence. But it clearly connotes 
that when matters intensify to where U.S. military 
forces are engaged against hostile acts in cyberspace, 
the stakes for U.S. interests are serious. So if cyber- 
space activities do escalate to the point of military in- 
volvement, what is the strategy for such engagement? 

DoD Strategy. 

In July 2011, the unclassified Department of Defense 
Strategy for Operating in Cyberspace was released after 
months of anticipation following the Deputy Secretary 
of Defense William Lynn III article, "Defending a New 
Domain: The Pentagon's Cyberstrategy" in the Sep- 
tember 2010 issue of Foreign Affairs. Secretary Lynn's 
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conclusion provided a concise and accurate preview 
of the upcoming formal strategy: 


These risks [in cyberspace] are what is driving the Pen- 
tagon to forge a new strategy for cybersecurity. The 
principal elements of that strategy are to develop an 
organizational construct for training, equipping, and 
commanding cyberdefense forces; to employ layered 
protections with a strong core of active defenses; to use 
military capabilities to support other departments' ef- 
forts to secure the networks that run the United States' 
critical infrastructure; to build collective defenses with 
U.S. allies; and to invest in the rapid development of 
additional cyberdefense capabilities. The goal of this 
strategy is to make cyberspace safe so that its revo- 
lutionary innovations can enhance both the United 
States' national security and its economic security.^^ 

Upon review, the strategy fell short of providing 
any new information or clarity regarding how DoD 
was progressing with its cyberspace activities, but 
it did consolidate the description of ongoing efforts 
into a single document.^'' It also addressed all aspects 
of military operations in cyberspace, not just those 
related to warfare: 

In developing its strategy for operating in cyberspace, 
DoD is focused on a number of central aspects of the 
cyber threat; these include external threat actors, in- 
sider threats, supply chain vulnerabilities, and threats 
to DoD's operational ability. DoD must address vul- 
nerabilities and the concerted efforts of both state and 
non-state actors to gain unauthorized access to its net- 
works and systems.*"" 

The strategy was organized into five strategic ini- 
tiative areas: domain-based operations; new defense 
concepts; domestic partnering; international partner- 
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ing; and technological innovation. In his analysis, 
Dr. Thomas Chen of Swansea University, United 
Kingdom, notes two critical observations relevant to 
our discussion: 1) The strategy does not distinguish 
between different types of adversaries — nation-states, 
foreign intelligence, hacktivists, criminals, hackers, 
terrorists — nor does the strategy address initiatives 
for specific types of adversaries; and 2) The unclas- 
sified version of the strategy neglects to address im- 
portant issues: offense; attribution; rules for proper 
response to cyber attacks; and metrics for progress 
toward implementation.'^^ 

Another limitation not mentioned by Chen is that 
the strategy does not clarify the different roles of U.S. 
Cyber Command and its Title 10 responsibilities that 
include cyber attack versus those of the National Se- 
curity Agency and its Title 50 responsibilities related 
to cyber exploitation. It does provide a vague de- 
scription of the shared commander structure of the 
two units: 


A key organizational concept behind the stand-up of 
USCYBERCOM [U.S. Cyber Command] is its co-loca- 
tion with the National Security Agency (NSA). Addi- 
tionally, the Director of the National Security Agency 
is dual-hatted as the Commander of USCYBERCOM. 
Co-location and dual-hatting of these separate and 
distinct organizations allow DoD, and the U.S. gov- 
ernment, to maximize talent and capabilities, leverage 
respective authorities, and operate more effectively to 
achieve DoD's mission.''^ 


Among the recommendations by Chen for any fu- 
ture version of the strategy is that it should address 
two fundamental issues: "When does a cyber attack 
justify a military response?" and "What is an appro- 
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priate response?" '^^ In essence, these questions frame 
the realms of jus ad helium and jus in hello depicted in 
Figure 2 and they cannot be fully answered with dis- 
crete statements. Perhaps the 2014 Quadrennial Defense 
Review (QDR) provides a general approach to the two 
questions posed by Chen: 

The Department of Defense will deter, and when ap- 
proved by the President and directed by the Secretary 
of Defense, will disrupt and deny adversary cyber- 
space operations that threaten U.S. interests. To do so, 
we must be able to defend the integrity of our own 
networks, protect our key systems and networks, con- 
duct effective cyber operations overseas when direct- 
ed, and defend the Nation from an imminent, destruc- 
tive cyberattack on vital U.S. interests.^" 

While precise answers to these questions remain 
unresolved, the official views of the U.S. Government 
regarding military operations are consistent with the 
legal sources already discussed. U.S. State Depart- 
ment Legal Advisor Harold Koh went on public re- 
cord during a September 2012 conference hosted by 
U.S. Cyber Command with 10 rhetorical questions 
and answers regarding how existing international law 
applies in cyberspace. This presentation averred that 
"international law principles do apply in cyberspace," 
with several specific references to the UN Charter 
and LOAC responsibilities for States.*^ In response, 
Michael Schmitt authored an article that compared 
Koh's position with those in the draft Tallinn Manual, 
noting that: 

The relative congruency between the U.S. Govern- 
ment's views, as reflected in the Koh speech and those 
of the International Group of Experts is striking. This 
confluence of a state's expression of opinio juris with 
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a work constituting "the teachings of the most highly 
qualified publicists of the various nations" significant- 
ly enhances the persuasiveness of common conclu- 
sions. Of course, the limited differences that exist as 
to particular points of law render the respective posi- 
tions on those points somewhat less compelling. . . . 
The Koh speech and the Tallinn Manual are but initial 
forays into the demanding process of exploring how 
the extant norms of international law will apply in 
cyberspace. But the long overdue journey has at least 
finally begun.''* 

In his recent confirmation hearing before Con- 
gress, the new Commander of U.S. Cyber Command, 
Admiral Rogers reiterated his command's three-fold 
mission, consistent with both the DoD Strategy and 
the QDR: 


The prioritization of capability development for na- 
tional and combatant command cyber mission forces 
flows directly from USCYBERCOM's three mission 
areas; (1) defend the nation; (2) secure, operate, and 
defend Department of Defense information networks 
(DoDIN); and (3) provide support to combatant com- 
mands. USCYBERCOM's highest priority is to defend 
the nation. This is done in parallel with activities dedi- 
cated to securing the DoDIN and supporting combat- 
ant commands.*^ 


Evidently, there is considerable content in U.S. 
national, international, and military strategies to help 
guide decisionmakers and planners in their assess- 
ment and response of any use of force in cyberspace. 
Also, while they do not provide discrete criteria for 
such tasks, these documents do have consistent, but 
evolving, legal and organizational frameworks for 
any supporting analyses. How does this compare to 
the rest of the world regarding approaches to national 
security and military activities in cyberspace? 
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The International Community, 

Prominent cyber security expert Melissa Hatha- 
way conducted a detailed assessment of the cyber 
security readiness of 35 countries. The initial report, 
released in November 2010, found that "27 of 35 coun- 
tries have a [published] Cyber Security Strategy, yet 
few are measuring progress and even fewer have in- 
vested in the strategy's successful outcome." Of these, 
only Australia, Canada, The Netherlands, the United 
Kingdom, and the United States had actions by their 
governments that met all five of the study elements.^^ 
In implementing its cyberspace strategy, DoD has 
identified "both senior-level and expert coordinat- 
ing activities with Australia, Canada, New Zealand, 
and the United Kingdom" as well as its efforts toward 
"strengthening its relationships with Japan and the 
Republic of Korea."''^ All seven of these countries have 
national cyber security strategies with competent au- 
thority. Of course, such strategies are mere documents 
unless action is taken. For our purposes, let us accept 
them at face value as a reflection of interests, values, 
and priorities. 

Due to the study's selection criteria for countries, 
there was little coverage of South America and Africa 
(only 4 of the 35 countries). However, there are orga- 
nizations on these continents that are developing and 
incorporating cyber security policies. The 35-member 
strong Organization of American States (OAS) adopt- 
ed a comprehensive strategy to combat threats to cy- 
ber security that addresses issues of cyber crime and 
terrorism, "but it has not yet developed a more active 
program for addressing cyber-attacks more general- 
ly."^" The OAS General Assembly Resolution calls for 
cooperation and collaboration, but makes no mention 
of military activities or collective defense: 
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The destruction of data that reside on computers 
linked by the Internet can stymie government func- 
tions and disrupt public telecommunications service 
and other critical infrastructures. Such threats to our 
citizens, economies, and essential services, such as 
electricity networks, airports, or water supplies, can- 
not be addressed by a single government or combated 
using a solitary discipline or practice/^ 


The African Union (AU), comprising 54 states, 
is developing a convention with concepts similar to 
those of the OAS. To wit, their draft capstone docu- 
ment makes no mention of military activities; rather, it 
guides its members toward the following endeavors: 

As part of the promotion of a culture of cyber security. 
Member States may adopt the following measures: de- 
vise a cyber security plan for the systems run by their 
governments; conduct research and devise security 
awareness-building programmes and initiatives for 
the systems and networks users; encourage the devel- 
opment of a cyber security culture in enterprises; fos- 
ter the engagement of the civil society; launch a com- 
prehensive and detailed national awareness raising 
programme for home users, small business, schools, 
and children.^^ 


In contrast, the 2013 Cybersecurity Strategy of the 
European Union (EU) adopts a broad approach which 
addresses civilian and military aspects as well as po- 
tential seams with NATO responsibilities: 

Given that threats are multifaceted, synergies between 
civilian and military approaches in protecting critical 
cyber assets should be enhanced. These efforts should 
be supported by research and development, and closer 
cooperation between governments, private sector and 
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academia in the EU. To avoid duplications, the EU will 
explore possibilities on how the EU and NATO can 
complement their efforts to heighten the resilience of 
critical governmental, defence and other information 
infrastructures on which the members of both organ- 
isations depend/^ 

NATO. 

NATO's cyber defense program has progressed 
significantly since its adoption in 2002 at the Prague 
Summit, spurred by cyber incidents against NATO 
during Operation ALLIED FORCE. The initial organi- 
zation included the creation of the NATO Computer 
Incident Response Capability designed to prevent, de- 
tect, and respond to future cyber incidents. Follov^^ing 
the 2007 cyber attacks on Estonia, the 2008 Bucharest 
Summit laid the foundation for two major NATO in- 
stitutions: the Cyber Defense Management Authority 
and the Cooperative Cyber Defense Center of Excel- 
lence.^* Acting upon declarations from the 2010 Lis- 
bon Summit, in June 2011, a formal NATO policy on 
cyber defense was released with the stated focus as: 

In order to perform the Alliance's core tasks of col- 
lective defence and crisis management, the integrity 
and continuous functioning of its information systems 
must be guaranteed. NATO's principal focus is there- 
fore on the protection of its own communication and 
information systems. Furthermore, to better defend 
its information systems and networks, NATO will 
enhance its capabilities to deal with the vast array of 
cyber threats it currently faces. 

New policies and capabilities are vetted through 
the Cyber Defense Management Board. Overall prog- 
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ress toward normalizing cyber activities into NATO 
operations can be summarized as: 

Allies also agreed at the Lisbon Summit that cyber 
defence and relevant capabilities need to be included 
in NATO's Defence Planning Process (NDPP). In June 
of 2013 NATO Defence Ministers approved the initial 
integration of cyber defence capability targets into the 
NDPP. This process will help to harmonize important 
work on cyber policy and procedures within NATO 
and at the national level to ensure that the Alliance's 
overall cyber defence capability meets agreed targets/* 


"Near Peer" Rivals - Russia and China. 


Among the many countries that the United States 
and its alhes may face as opponents in cyberspace, 
Russia and China have the most formidable nation- 
al capabilities to consider. In addition to cyberspace 
forces, they also have significant global economic, 
military, and political powers. Both have enduring 
nuclear forces; both are permanent members of the 
UN Security Council; and both have publicly dis- 
cussed elements of their cyber security strategies. In 
his January 2014 Senate testimony on the Worldwide 
Threat Assessment, Director of National Intelligence 
(DNI) James R. Clapper noted: 

Russia and China continue to hold views substantially 
divergent from the United States on the meaning and 
intent of international cyber security. These diver- 
gences center mostly on the nature of state sovereignty 
in the global information environment states' rights 
to control the dissemination of content online, which 
have long forestalled major agreements. 
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A March 2014 study by Keir Giles, director of 
the Conflict Studies Research Centre, and Andrew 
Monaghan, a Research Fellow at St. Antony's College, 
Oxford, echoes this view: 

In fact, China, Russia, and a number of like-minded 
nations have an entirely different concept of the appli- 
cability of international law to cyberspace as a whole, 
including to the nature of conflict within it. These na- 
tions could therefore potentially operate in cyberspace 
according to entirely different understandings of what 
is permissible under international humanitarian law, 
the law of armed conflict, and other legal baskets gov- 
erning conduct during hostilities.^* 

Specifically regarding the determination of an act 
of war in cyberspace, they conclude "On this point, 
Russian thinking appears at odds with the emerging 
Western consensus."^'' 

The uses of cyberspace activities to support mili- 
tary options have been postulated in operations in 
Estonia (2007) and Georgia (2008), as well as ongoing 
activities with Ukraine. Concerning the evolution of 
its military forces. Clapper noted: 

Its [Russia's] Ministry of Defense (MOD) is establish- 
ing its own cyber command, according to senior MOD 
officials, which will seek to perform many of the func- 
tions similar to those of the US Cyber Command. Rus- 
sian intelligence services continue to target US and 
allied personnel with access to sensitive computer 
network information.*^" 


The current Russian perspective is expressed in its 
2011 cyber security document, which addresses the 
connection of international law to operations by its 
armed forces as: 
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Peculiarities of the military activity in the global infor- 
mation space are guided by the following regulations 
and principles thereof: respect towards national sov- 
ereignty, non-interference in internal affairs of other 
states, non-use of force and threat of force, [and] rights 
for individual and collective self-defense.^^ 


The strategy goes on to promulgate the "contain- 
ment and prevention of military conflicts in the infor- 
mation space" utilizing such means as: force readiness; 
cooperative efforts through the Collective Security 
Treaty Organization, Commonwealth of Independent 
States, and the Shanghai Cooperation Organization; 
escalation prevention; and the resolution of conflicts 
by agreement or other peaceful means, such as the UN 
Security Council.*^ It summarizes its goals in the final 
paragraph: 

Implementing this Conceptual Perspective, the Armed 
Forces of the Russian Federation shall strive towards 
the maximum use of the opportunities of the informa- 
tion space for strengthening the defensive potential of 
the state, the containment and prevention of military 
conflicts, the development of military cooperation, as 
well as the formation of the system of international in- 
formation security in the interests of the entire global 
community.*^ 

Officials from China have listed similar goals in 
public statements, referring to their collective efforts 
with Russia, Tajikistan, Uzbekistan, Kazakhstan, and 
Kyrgyzstan to have the UN accept an "International 
Code of Conduct for Information Security" that they 
introduced to the General Assembly in 2011.^* The 
proposed code would be voluntary for nations and 
it is organized into four categories: peace, security. 
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openness, and cooperation. In drafting the code, they 
claim that "China and other cosponsors tried their best 
to reflect international consensus in a comprehensive 
and balanced manner."^^ These statements also con- 
tained some thinly veiled criticisms of U.S. cyberspace 
activities: 


Some countries keep others from participating in the 
equitable distribution of information resources and en- 
joying the digital dividends by monopolizing critical 
information resources. Some countries are developing 
cyber military capabilities and threatening others with 
preemptive strikes, turning the information space into 
a new battlefield. Some negative incidents exposed 
recently indicate that many countries' data security 
and personal privacy were compromised and caused 
widespread concern of the international community.^*" 

It is reasonable to assume the following was di- 
rected at the establishment of U.S. Cyber Command: 

To ensure a country's security by developing its cyber 
military capabilities and seeking military advantage 
is not only untenable, but is triggering arms race and 
increasing the possibility of conflicts in information 
space, which is against the common interests of the in- 
ternational community. China believes that countries 
should comply with the UN Charter and the basic 
principles governing international relations, not to use 
force or threaten to use force in information space, and 
settle disputes through peaceful means. 

Such language supports the findings of an April 
2013 workshop hosted by the University of California 
on the political, economic, and strategic dimension of 
China's cyber security. The workshop noted that "the 
security of global information systems has become a 
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contentious issue in U.S.-China relations," and further 
specified that "failure to appreciate China's domestic 
economy and politics can lead to a profound misun- 
derstanding of its international activities. "^^ This view 
is in concert with Clapper's recent report: 

China's cyber operations reflect its leadership's priori- 
ties of economic growth, domestic political stability, 
and military preparedness. Chinese leaders continue 
to pursue dual tracks of facilitating Internet access for 
economic development and commerce and policing 
online behaviors deemed threatening to social order 
and regime survival.'^'' 

Finally, China's own words before the UN General 
Assembly substantiate the DNI assessment by making 
a "don't tread on me" statement: 

We should adhere to the principle of balance between 
freedom and law. Information space is no "global do- 
main". Countries should enjoy state sovereignty in 
information space. The governments are entitled to 
managing its network-related activities and have the 
jurisdiction over its information infrastructures within 
its territory. Under such premises, we should protect 
the freedom for all in information space. Countries 
shouldn't use ICTs [information and communication 
technologies] to interfere in other countries' internal 
affairs and undermine other countries' political, eco- 
nomic, and social stability as well as cultural envi- 
ronment. Countries should not take advantage of its 
dominant position in information space to undermine 
other countries' right of independent control of ICT 
products and services.* 

Any Chinese implementation of military action in 
cyberspace will likely focus on their concept of "in- 
formationalized" warfare''^ utilizing "tactics known 
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as 'cocktail warfare', a concept developed in the 1999 
book Unrestricted Warfare, " which describes "new con- 
cepts of weapons [that] involve the ability to combine 
various elements to produce types of weaponry never 
imagined before."'^ 

While it is doubtful that Russia and China will 
form any enduring cyber alliance, they appear to be 
acting in concert with mutual interest to shape the in- 
ternational legal environment to keep as much control 
as possible over internal cyber matters without infer- 
ence from others. In addition to Russia and China, the 
other two countries mentioned prominently in U.S. 
public documents are Iran and North Korea. Clapper 
noted that "Iran and North Korea are unpredictable 
actors in the international arena. Their development 
of cyber espionage or attack capabilities might be 
used in an attempt to either provoke or destabilize 
the United States or its partners."'^ Of course, there 
are many other countries that may derive benefit from 
interfering with U.S. military activities, but they will 
not be discussed any further here. Instead, let us con- 
sider nonstate groups that may influence (positively 
or negatively) operations in cyberspace. 

Nonstate Actors. 

Daily, billions of individuals connect to the Inter- 
net, each with numerous associations to governmen- 
tal, commercial, and social groups formed in struc- 
tures that may range from rigorous to ad hoc fashion. 
Therefore, there are too many potential nonstate actors 
(individual and collectives) to list, let alone analyze. 
To illustrate the prospective roles that certain nonstate 
entities may play in international cyberspace activi- 
ties, let us consider three areas that may have the most 
influence on the implementation of U.S. strategies. 
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Non-Governmental Organizations and Governing Bodies. 


In July 2010, the U.S. Government Accountability 
Office (GAO) was tasked to examine Internet gover- 
nance and other aspects of global cyberspace shared 
interests. They focused on 19 organizations consid- 
ered by experts as the most important and influential. 

The organizations range from information-sharing 
forums that are nondecision-making gatherings of 
experts to private organizations to treaty-based, de- 
cision-making bodies founded by countries. Their ef- 
forts include those to address topics such as incident 
response, technical standards, and law enforcement 
cooperation. These entities have reported ongoing ini- 
tiatives that involve governments and private indus- 
try stakeholders to address a broad set of topics, such 
as implementation of incident response mechanisms, 
the development of technical standards, the facilita- 
tion of criminal investigations, and the creation of in- 
ternational policies related to information technology 
and critical infrastructure.'"' 


Active participation in these venues provides op- 
portunities to shape international cyberspace infra- 
structure and functional protocols as well as security 
policies. Accordingly, the GAO report identifies 73 
areas where the roles of U.S. federal entities (primar- 
ily Departments of Commerce, Defense, Homeland 
Security, Justice, and State) include involvement with 
these organizations. Fulfilling these roles is a complex 
process and the report notes that "federal agencies 
have not demonstrated an ability to coordinate their 
activities and project clear policies on a consistent ba- 
sis. "^^ This may be due in part to the evolving elements 


43 


of the overall U.S. strategy regarding cyberspace; the 
GAO cautions that: 


Unless agency and White House officials follow a 
comprehensive strategy that clearly articulates over- 
arching goals, subordinate objectives, specific activi- 
ties, performance metrics, and reasonable time frames 
to achieve results, the Congress and the American 
public will be ill-equipped to assess how, if at all, fed- 
eral efforts to address the global aspects of cyberspace 
ultimately support U.S. national security, economic, 
and other interests.^'' 


To add to these challenges, other countries as part 
of their own strategies may be w^orking counter to U.S. 
efforts with multinational bodies. Clapper noted that 
"Russia presents a range of challenges to US cyber 
policy and network security. Russia seeks changes to 
the international system for Internet governance that 
would compromise US interests and values." Further, 
he concludes that, "Internationally, China also seeks 
to revise the multi-stakeholder model Internet gov- 
ernance while continuing its expansive worldwide 
program of network exploitation and intellectual 
property theft."''^ 


Malicious Actors. 


Unlike groups that strive for cyberspace gover- 
nance that provides fair and stable access to settings 
such as the Internet, some actors actually thrive on the 
unpredictable, uncertain, and vulnerable nature of the 
same. Such nonstate actors may derive power by their 
exploitation of cyberspace and may be driven by a va- 
riety of motivations — ideology (political or religious), 
monetary gain, knowledge sharing, or even destruc- 
tion of societal structures. 
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Malicious actors of all kinds — terrorists, criminals, 
hacktivists, thrill-seekers, and so forth— may cause 
negative effects on critical systems and infrastructure 
that could be mistakenly attributed to nations and thus 
entered into the assessment of an attack. Unfortunate- 
ly, many of these groups may not consider the broader 
implications of their disruptive activities. Assemblag- 
es such as WikiLeaks, LulzSec, and Anonymous may 
see themselves as "combatants in a war to achieve the 
goal of Internet freedom" who may take "pride in be- 
ing unstructured without hierarchy or central author- 
ity."^^ Despite this sentiment, these nonstate actors are 
able to not only coordinate sophisticated attacks, but 
also provide volunteers with the software necessary 
to participate: 

The Operation Payback was launched by a group of 
WikiLeaks supporters, after multiple financial service 
providers stopped their services for WikiLeaks after 
the latest, massive disclosure of classified US docu- 
ments. The attacks were carried out by using an open 
source network attack application called Low Orbit 
Ion Cannon. The attacks were coordinated by using 
internet forums. Twitter and some C&C [command & 
control] servers. 

Ironically, even the most extreme of these actors 
still have a vested interest in maintaining a functional 
structure in cyberspace from which they can obtain 
power. 

Commercial Sector. 

The information and communications systems 
that form part of cyberspace infrastructure are largely 
owned and operated by domestic and international 
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commercial interests. Considering this, the 2009 Cy- 
berspace PoHcy Review observed that "addressing 
network security issues requires a pubhc-private 
partnership as well as international cooperation and 
norms."^"^ The volume of commerce activity that uti- 
lizes cyberspace is far from trivial. In June 2011, then 
Secretary of Commerce Gary Locke stated that indus- 
try estimates claim that the Internet "global network 
helps to facilitate $10 trillion in online transactions 
every single year."^°^ But unfortunately, the security 
efforts applied across such a magnitude of economic 
bustle may be spotty and disproportionate: 

Despite increasing awareness of the associated risks, 
broad swaths of the economy and individual actors, 
ranging from consumers to large businesses, still do 
not take advantage of available technology and pro- 
cesses to secure their systems, nor are protective mea- 
sures evolving as quickly as the threats. This general 
lack of investment puts firms and consumers at greater 
risk, leading to economic loss at the individual and ag- 
gregate level and poses a threat to national security.^"^ 

Indeed, recent commercial security breaches dem- 
onstrate why this is a concern. The impacts can be sub- 
stantial, such as the hacks into Target store systems 
that affected as many as 40 million consumers during 
the 2013 holiday season.^"'* Perhaps more worrisome 
is the discovery of the Heartbleed vulnerability in the 
OpenSSL program that may allow criminals to hack 
over 500,000 websites, many designed to conduct se- 
cure business transactions.^"^ 

Not surprisingly, the volume of commercial ac- 
tivity performed over networks is also not inconse- 
quential and vast amounts of the overall bandwidth 
availability may be used by a few application groups. 
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For example, streaming video providers account for 
a significant portion of Internet usage during peak 
hours, such as Netflix (32 percent) and YouTube (19 
percent). This congestion may make it more difficult 
for military forces to operate in cyberspace during 
peak hours and it is reasonable to assume that the de- 
mand for cyberspace by news agencies and social me- 
dia may increase appreciably during a national crisis. 
This also raises the question: What is the balance of 
responsibilities between government forces and com- 
mercial parties to protect against attacks and mitigate 
any impacts? A recent study on national cyber secu- 
rity frameworks examined this and observed: 

Three issues are central to the national security debate: 
how does the government assure the availability of 
essential services; provide for the protection of intel- 
lectual property; and maintain citizen confidence (and 
safety) when participating in the internet economy? 
Nations are struggling with finding the appropriate 
mix of policy interventions and market levers to boost 
the impacts of ICT [information and communications 
technology]. 

While military planners and operators may deem 
it advantageous to view cyberspace as an operational 
domain, the policy considerations presented in this 
section indicate that decisionmakers may have more 
success using a commons paradigm. With all this in 
mind, how should we develop and weigh options 
to assess and respond to potential uses of force in 
cyberspace? 


47 


COURSES OF ACTION 

This section examines the influences that course of 
action development and implementation may have on 
the assessment of cyberspace incidents. It first looks 
at the President's role as the primary decisionmaker 
in U.S. national matters regarding cyberspace. It then 
surveys key influences affecting subordinate deci- 
sionmakers and their staffs that may be advising the 
commander in chief: reliable situational awareness, 
global and domestic environment considerations, and 
options and their related risks and potential conse- 
quences. While this is necessary to provide a context 
and insight into the consequences of the assessment, it 
is important to remember that this monograph's pri- 
mary focus is on analyzing incidents and supporting 
decisionmakers, not on how to choose and implement 
the appropriate types of responses. 

U.S. Implementation: Who Makes the Call? 

Assessing a cyberspace incident as a potential 
use of force, even when armed with frameworks like 
those depicted in Figure 2, is indeed a mixture of sci- 
ence and art. As articulated in the White House's 2009 
Cyberspace Policy Review, evaluations of this sort are 
not optional: 

The Federal government cannot entirely delegate or 
abrogate its role in securing the Nation from a cyber 
incident or accident. The Federal government has the 
responsibility to protect and defend the country, and 
all levels of government have the responsibility to en- 
sure the safety and wellbeing of citizens.^"^ 
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For such deliberation within the U.S. Government, 
one thing is clear — the ultimate decision authority is 
the President: 


Without question, some activities conducted in cyber- 
space could constitute a use of force, and may as well 
invoke a state's inherent right to lawful self-defense. In 
this context, determining defensive response to even 
presumptively illegal acts rests with the Commander- 
in-Chief.^"'' 


Even so, while the overall responsibility belongs 
to the chief executive, there are many advisors and 
staffs with varying levels of delegated authority to 
gather information and synthesize their best advice 
to support the decisionmaking through constitutional 
processes. 

It is up to the President to determine when, based 
upon the circumstances of any event, including a cy- 
berspace event, and the contemplated response that 
the President intends to proceed with, what consulta- 
tions and reports are necessary to Congress, consistent 
with the War Powers Act.™ 


Due to the dynamic nature of not only cyberspace 
activities but also international happenings in general, 
Congress tasked DoD to address the following in a 
2011 report: 

The necessity of preserving the President's freedom of 
action in crises and confrontations involving nations 
which may pose a manageable conventional threat 
to the United States but which in theory could pose 
a serious threat to the U.S. economy, government, or 
military through cyber attacks."^ 


The DoD response outlined measures in three ar- 
eas: intelhgence and situational awareness; defense 
and resilience; and options of response using all nec- 
essary means of national power. While there is no 
discrete checklist or methodology that will facilitate 
this process for the President, advisors, and associ- 
ated staffs. Figure 3 may serve as a general guide. It 
expands the conceptual framework of Figure 2 for 
assessing cyberspace incidents to include issues and 
considerations that should influence the decisionmak- 
ers. In implementing the framework, one must bal- 
ance the demands represented by the various inputs to 
provide senior decisionmakers with the best possible 
advice. The influences of national purpose, interests, 
and policies were covered in the previous section. The 
influences of the other four inputs are addressed in 
the remainder of this section. 



Figure 3. Course of Action Influences on 
Cyberspace Incident Assessment. 
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Reliable Situational Awareness. 


Incident Reporting. 

Reliable situational awareness is critical to the 
assessment of incidents in cyberspace. How do the 
President and other government officials get such in- 
formation? In October 2009, then Secretary of Home- 
land Security Janet Napolitano established the Na- 
tional Cybersecurity and Communications Integration 
Center (NCCIC): 

This 24-hour watch and warning center serves as the 
nation's principal hub for organizing cyber response 
efforts and maintaining the national cyber and com- 
munications common operational picture. DHS [De- 
partment of Homeland Security] also works with the 
private sector, other government agencies and the in- 
ternational community to mitigate risks by leveraging 
the tools, tradecraft, and techniques malicious actors 
use and converting them into actionable information 
for all 18 critical infrastructure sectors to use against 
cyber threats. 

As this description indicates, the focus of the NC- 
CIC is on the "dot gov" portion of the Internet, as 
well as broader protection of the nation's critical in- 
frastructures and coordination with the private sector. 
DoD has a more narrow focus on protecting the "dot 
mil" network as well as evaluating potential threats 
that may require military actions as part of a response. 
A 2011 DoD report to Congress noted that: 

As in the physical world, a determination of what is 
a "threat or use of force" in cyberspace must be made 
in the context in which the activity occurs, and it in- 
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volves an analysis by the affected states of the effect 
and purpose of the actions in question. 

So how does the mihtary accompHsh this evalu- 
ation? In his confirmation hearings before a senate 
committee in March 2014, the current Commander, 
U.S. Cyber Command, Admiral Michael Rogers pro- 
vided some insight with regard to this question: 

DoD has a set of criteria that it uses to assess cyber- 
space events. As individual events may vary greatly 
from each other, each event will be assessed on a 
case-by-case basis. While the criteria we use to assess 
events are classified for operational security purposes, 
generally speaking, DoD analyzes whether the proxi- 
mate consequences of a cyberspace event are similar 
to those produced by kinetic weapons."^ 

Initial Responses. 

In theory, these processes all sound sufficient, but 
how are they being implemented? The current appli- 
cations entail an evolving relationship between DoD 
and DHS that was initially formalized in the October 
2010 Memorandum of Agreement (MO A) signed by 
secretaries Gates (DoD) and Napolitano (DHS) and 
designed: 

to set forth terms by which DHS and DoD will pro- 
vide personnel, equipment, and facilities in order to 
increase interdepartmental collaboration in strategic 
planning for the Nation's cybersecurity, mutual sup- 
port for cybersecurity capabilities development, and 
synchronization of current operational cybersecurity 
mission activities."* 
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One month before the MOA was released, DHS 
completed its interim National Cyber Incident 
Response Plan (NCIRP) which: 


provides a framework for effective incident response 
capabilities and coordination between federal agen- 
cies, state, and local governments, the private sector, 
and international partners during significant cyber 
incidents. 


The NCIRP has been tested in several "Cyber 
Storm" exercises sponsored by DHS and supported 
by multiple and diverse representatives from federal, 
state, and local governments as well as international 
and industry partners."** Despite this, the area of inci- 
dent reporting remains a work in progress with many 
of the limitations noted in 2010 by the GAO being 
actively worked: 

Although multiple federal agencies are parties to 
information-sharing or incident-response agreements 
with other countries, the federal government lacks a 
coherent approach toward participating in a broader 
international framework for responding to cyber in- 
cidents with global impact. U.S. and European gov- 
ernment officials, members of the private sector, and 
subject matter experts told us that establishing an ef- 
fective international framework for incident response 
is difficult for multiple reasons, including the national 
security concerns associated with sharing potentially 
sensitive information, the large number of indepen- 
dent organizations involved in incident response, and 
the absence of incident response capabilities within 
some countries. 


In his final testimony in February 2014 as Com- 
mander, U.S. Cyber Command, General Keith Alex- 
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ander described the progress made in the DoD evalu- 
ation and reporting of significant cyberspace events: 


USCYBERCOM, for instance, has been integrated in 
the government wide processes for National Event re- 
sponses. This regularly exercised capability will help 
ensure that a cyber incident of national significance 
can elicit a fast and effective response at the right 
decisionmaking level, to include pre-designated au- 
thorities and self-defense actions where necessary and 
appropriate.^^" 

Each military service has also developed similar 
information and reporting systems to serve both their 
ov^n unique service-related cyber component require- 
ments as well as integrate into the sub-unified struc- 
ture of USCYBERCOM.121 Specific to potential cyber- 
space attacks, General Alexander noted: 

Should an attack get through, or if a provocation were 
to escalate by accident into a major cyber incident, we 
at USCYBERCOM expect to be called upon to defend 
the nation. We plan and train for this every day. My 
Joint Operations Center team routinely conducts and 
practices its Emergency Action Procedures to defend 
the nation through interagency emergency cyber pro- 
cedures. During these conferences, which we have 
exercised with the participation up to the level of the 
Deputy Secretary of Defense, we work with our inter- 
agency partners to determine if a Cyber Event, Threat 
or Attack has occurred or will occur through cyber- 
space against the United States. As Commander, US- 
CYBERCOM, I make an assessment of the likelihood 
of an attack and recommendations to take, if appli- 
cable. We utilize this process in conjunction with the 
National Military Command Center (NMCC) to deter- 
mine when and if the conference should transition to a 
National Event or Threat Conference.^^^ 
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The purpose of this monograph is not to critique 
existing command and control functions of mihtary 
cyberspace actions; rather, it is to understand in gen- 
eral terms how they may provide actionable informa- 
tion for decisionmakers. But these processes cannot 
operate in a vacuum; let us explore some of the factors 
identified in Figure 3 that should influence the overall 
cyberspace incident assessment methodology. 

Global Environment Considerations. 

Crime, Espionage, and Terrorism. 

To establish a realistic context of the global cyber- 
space environment, it is essential to acknowledge how 
crime, espionage, and terrorism are viewed as well as 
how they are differentiated from use of force. The U.S. 
International Strategy for Cyberspace clearly separates 
"protection from crime" from "right of self-defense" 
and outlines the expectation for international law 
enforcement: 

In the case of criminals and other non-state actors 
who would threaten our national and economic secu- 
rity, domestic deterrence requires all states to have 
processes that permit them to investigate, apprehend, 
and prosecute those who intrude or disrupt networks 
at home or abroad. Internationally, law enforcement 
organizations must work in concert with one another 
whenever possible to freeze perishable data vital to 
ongoing investigations, to work with legislatures and 
justice ministries to harmonize their approaches, and 
to promote due process and the rule of law — all key 
tenets of the Budapest Convention on Cybercrime. 

The Budapest (Council of Europe) Convention on 
Cybercrime began in 1997, was opened for signature 
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in November 2001, and has been ratified by at least 
42 countries. Its provisions focus on criminal offenses 
in four categories: fraud and forgery, child pornogra- 
phy, copyright infringement, and security breaches.^^^ 
A Yale Law School comparison of crime and war in 
cyberspace offers a similar scope for cyber crime: 

Cyber-crime is generally understood as the use of a 
computer-based means to commit an illegal act . . . 
thus often defined by its means — that is, a computer 
system or network. As such, cyber-crime encompasses 
a very broad range of illicit activity. Among the pri- 
orities of the Department of Justice and FBI [Federal 
Bureau of Investigation] units addressing cyber-crime 
are fraudulent practices on the Internet, online piracy, 
storage and sharing of child pornography on a com- 
puter, and computer intrusions.^^^ 


The broader implications of cyber crime as a global 
threat is offered by Clapper: 

Cyber criminal organizations are as ubiquitous as 
they are problematic on digital networks. Motivated 
by profit rather than ideology, cyber criminals play a 
major role in the international development, modifica- 
tion, and proliferation of malicious software and illicit 
networks designed to steal data and money. They will 
continue to pose substantial threats to the trust and 
integrity of global financial institutions and personal 
financial transactions.^^*" 


But will the results of nonstate criminal events be 
sufficiently dissimilar from the potential effects of ac- 
tions taken by state forces? Perhaps not in all cases, 
according to the Yale Law study: 

While the distinction between cyber-crime and cyber- 
attack is important, we acknowledge that it often will 
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not be readily apparent at the moment of the cyber- 
event whether it is one or the other (or both) — in part 
because the identity and purpose of the actor may not 
be apparent. 

Thus, the problem is that it may be difficult to dis- 
tinguish up front that a given incident in cyberspace 
with negative effects is criminal or the initiation of a 
use of force. This same problem with distinction may 
extend to the areas of espionage and terrorism since, 
from the victim's perspective, there may not be clear 
cause-and-effect evidence available to evaluation the 
situation. 

As discussed earlier, espionage conducted by state 
entities is generally acknowledged as a tradition ritual 
among nations that is distinct from armed conflict. But 
facilitated by cyberspace means, the practice of indus- 
trial and economic espionage is changing in scope and 
sophistication as concluded in a 2011 report by the Of- 
fice of the National Counterintelligence Executive: 

Foreign collectors of sensitive economic information 
are able to operate in cyberspace with relatively little 
risk of detection by their private sector targets. The 
proliferation of malicious software, prevalence of cy- 
ber tool sharing, use of hackers as proxies, and rout- 
ing of operations through third countries make it dif- 
ficult to attribute responsibility for computer network 
intrusions. Cyber tools have enhanced the economic 
espionage threat, and the Intelligence Community (IC) 
judges the use of such tools is already a larger threat 
than more traditional espionage methods. 

Adding to the complexity and sensitivity of this 
issue is that the activity is not limited to countries 
that are considered adversarial. Surprisingly, it is also 
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common among friendly nations, as the same report 
posited: 


Some US allies and partners use their broad access to 
US institutions to acquire sensitive US economic and 
technology information, primarily through aggressive 
elicitation and other human intelligence (HUMINT) 
tactics. Some of these states have advanced cyber 
capabilities.^^'' 

Terrorist organizations are also gaining access to 
advanced cyber capabilities, often using criminal prof- 
its to fund their efforts. Clapper stated that "terrorist 
organizations have expressed interest in developing 
offensive cyber capabilities. They continue to use cy- 
berspace for propaganda and influence operations, 
financial activities, and personnel recruitment."^^" The 
attribution of terrorism acts conducted by nonstate ac- 
tors must consider if the culprits were condoned or 
even supported by a legitimate state. If the latter were 
true, it should be a significant element in determin- 
ing the motivation and intent of other state actions in 
cyberspace. Given that we can winnow these certain 
cyberspace incidents, what pragmatic factors should 
be in play during further evaluation of cyber incidents 
to distinguish those related to use of force? 

Pragmatic Factors for Decisionmakers. 

Providing the best analysis and advice to deci- 
sionmakers for the discrimination of hostile actions 
in cyberspace activities requires consideration of the 
"what next" implications. Recall that Rid posited that 
war must include instrumental and political aspects — 
how might these emerge if the President decides to 
direct a military response to an event deemed to be 
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an act of force in cyberspace? DoD provided part of 
this answer in response to questions from Congress in 
November 2011: 


Cyber operations might not include the introduction 
of armed forces personnel into the area of hostilities. 
Cyber operations may, however, be a component of 
larger operations that could trigger notification and 
reporting in accordance with the War Powers Reso- 
lution [Public Law 93-148]. The Department will 
continue to assess each of its actions in cyberspace to 
determine when the requirements of the War Powers 
Resolution may apply to those actions. ^""^ 

However, initiation of the War Powers Resolution 
appUes to "situations where imminent involvement in 
hostilities is clearly indicated by the circumstances. "^^^ 
Jason Healey and A. J. Wilson developed a model 
mapping cyberspace force "logic presence" against 
what might be considered an equivalent physical 
presence of forces that are more familiar to advisors. 
It ranges from an outside country's simple connection 
to the public Internet up to a long-term campaign of 
manipulating foreign systems. Importantly, they in- 
tegrate requirements for congressional notification 
as hostilities progress."^ While not an authenticated 
methodology, it has value that merits possible incor- 
poration into an advisor's kit bag. 

If the decision is made to use U.S. military forces, 
what resources will be available to the commander in 
chief? The centerpiece of the cyberspace element is the 
Cyber Mission Force: 

The Force includes Cyber Protection Forces that oper- 
ate and defend the Department's networks and sup- 
port military operations worldwide. Combat Mission 
Forces that support Combatant Commanders as they 
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plan and execute military missions, and National 
Mission Forces that counter cyberattacks against the 
United States."* 

The Force is scheduled to be staffed initially by 
2016 with an impressive number of teams available by 
fiscal year 2019: 

• 13 National Mission Teams with 8 National 
Support Teams 

• 27 Combat Mission Teams with 17 Combat 
Support Teams 

• 18 National Cyber Protection Teams (CPTs) 

• 24 Service CPTs 

• 26 Combatant Command and DoD Information 
Network CPTs^s 

One of the biggest challenges in implementing cy- 
berspace operations is the development of a cadre of 
expert planners and their socialization into the greater 
military community. In a recent article, Jason Bender, 
one of the vanguards of this evolving group, offered 
insight into how this might be accomplished: 

In the case of the institution, the services must pursue 
broad and comprehensive common-core education for 
all potential commanders and planners regarding cy- 
berspace operations. Doctrinal publication classifica- 
tions must be carefully and appropriately overcome in 
order to get the word to the masses and educate them 
on the realm of the possible in terms of the operational 
environment relative to the cyberspace domain, the 
operational process, and fires and targeting."'' 


One of the greatest variables in this process de- 
picted in Figure 3 is the personalities and propensi- 
ties of not only the top decisionmaker, but also of the 


intermediate leaders and their staffs. While this is not 
unique to cyberspace-related issues, the dynamic na- 
ture of the domain and the speed of operational execu- 
tion may intensify the effects of decisions over those in 
the traditional domains. Some have argued from cor- 
porate experiences that intuitive leaders may function 
better within a complex adaptive system than leaders 
that favor rational approaches to decisionmaking and 
problem solving.^^^ In truth, there are few, if any, lead- 
ers with sufficient experience in cyberspace matters 
to be able to claim intuition and the system dynam- 
ics of the domain change faster than any human can 
perceive, thus calling into question any deference to 
rational models. So what is to be done? Jody Prescott, 
Senior Fellow, West Point Center for the Rule of Law, 
examines the challenge of "building the ethical cyber 
commander" who must lead within a realistic frame- 
work that recognizes the increasing use of human 
computer interfaces and autonomous decision mak- 
ing processes (ADPs): 

Given the likely speed at which future cyber opera- 
tions would occur, not only will commanders need to 
accelerate their decision making, but will also likely 
need to use ADPs as part of their arsenal in order to 
maintain their operational effectiveness. The ethical 
and legal challenges posed by reliance upon this sort 
of technology must be explored fully to ensure that 
possible solutions are consistent with the overarching 
social, political, and legal norms we expect our mili- 
tary personnel to meet as they conduct operations on 
our behalf."8 


Even when equipped with the skills and guided by 
principles listed here, the ethical cyber leader must be 
able to comprehend that others in the world may not 
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share their same values and thus perceive events and 
actions differently. 

Perceptions, Intentional and Unintentional. 

Even when a hostile cyberspace event occurs that 
is internationally validated as an armed attack, there is 
no explicit requirement for a head of state to respond. 
There are risks inherent in the three possible outcomes 
of doing nothing, retaliating appropriately, or retali- 
ating inappropriately. RAND fellow Martin Libicki 
studied the possible repercussions of these outcomes 
to a country's ongoing deterrence and attack effective- 
ness."^ Doctoral student Timothy Junio questions the 
assumption that treating states as unitary rational ac- 
tors is sufficient for modeling complex international 
interactions involving cyberspace. He outlines poten- 
tial theoretical paradigms that incorporate bargaining 
theory modified to accommodate information tech- 
nology factors. Less stringent than the unitary ratio- 
nal actor model, "the principal-agent approach, for 
instance, works with the premise that individuals and 
organizations often vary in their incentives and pref- 
erences, which could make war beneficial for some at 
the cost of other. 

Practicing appropriate transparency with regard 
to U.S. cyberspace force issues can help allay trepida- 
tion among friends and competitors. Regardless of the 
merits of the DoD Strategy and the U.S. Cyber Com- 
mand structure, one has to critique the lack of adher- 
ence to proper strategic communication principles 
when it was unveiled to the world writ large. Certain- 
ly, the unexpected announcement by Secretary Gates 
did not seem well coordinated with the Department of 
State and thus gave skeptical nations reasonable cause 
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for further suspicion regarding the U.S. activities in 
cyberspace. The assessment of the GAO was: 

In addition, DoD and Department of State officials ac- 
knowledged that the announcement of the Secretary 
of Defense's decision to establish the Cyber Command 
was not coordinated with the Department of State, al- 
though DoD officials stated that the department had 
shared the purpose, intent, and mission with other 
agencies, including the Department of State. Never- 
theless, the announcement was perceived by several 
foreign governments and other entities as a potentially 
threatening attempt by the U.S. government to mili- 
tarize cyberspace, according to recognized experts.^" 

Other examples of how intentions may be viewed 
differently include some of the reactions to the release 
of the Tallinn Manual which was criticized by Russia as 
a product focused on "the rules for prosecuting cyber 
warfare" while Russia is "trying to prevent militari- 
zation of cyberspace by urging the international com- 
munity to adopt a code of conduct in this sphere.""^ 
While this can be viewed as political maneuvering in 
line with Russia's stated policy views, it illustrates that 
even a product with vast consensus may still present 
some controversy. Congress specifically queried DoD 
regarding how the discovery of its penetrations of for- 
eign networks for intelligence gathering might "cause 
the targeted nation to interpret the penetration as a 
serious hostile act." The DoD response pointed to the 
long history of espionage practiced in both directions 
between states and admitted that: 

The United States Government collects foreign intel- 
ligence via cyberspace, and does so in compliance 
with all applicable laws, policies, and procedures. 
The conduct of all U.S. intelligence operations is 
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governed by long-standing and well-established 
considerations, to include the possibility those op- 
erations could be interpreted as a hostile act.^"^ 


However, they should also recognize that the du- 
al-hatted commander status of U.S. Cyber Command 
and the National Security Agency may send mixed 
messages to the international community as well as 
provide grist for the propaganda mills of potential 
adversaries. 

Domestic Environment Considerations. 

For national decisionmaking regarding the judg- 
ment of a given cyberspace incident, the President as 
chief executive may be considered the point where the 
legal federal authorities stipulated in U.S. Code con- 
verge—that is, the White House is "where the buck 
stops" for U.S. actions in cyberspace. The evaluation 
process for actions in cyberspace should be supported 
by many different government organizations as part 
of the roles and responsibilities; the major duties relat- 
ed to these undertakings can be found in the following 
portions of the U.S. Code: 

• Title 6: Domestic Security (Department of 
Homeland Security 

• Title 10: Armed Force (Department of Defense) 

• Title 18: Crimes and Criminal Procedure 
(Department of Justice) 

• Title 22: Foreign Relations and Intercourse 
(Department of State) 

• Title 32: National Guard 

• Title 40: Public Buildings, Property, and Works 

• Title 44: Public Printing and Documents 
(National Security Systems) 
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• Title 50: War and National Defense 
(Intelligence Community) 

• Title 51: National and Commercial Space 
Programs^** 

Unless properly integrated and synchronized, the 
results from this diverse federal lineup may be dis- 
jointed. Alexander promulgated the teamwork nec- 
essary to achieve unity of effort in his February 2014 
congressional testimony: 

Our new operating concept to enhance military cyber 
capabilities is helping to foster a whole-of-government 
approach to counter our nation's cyber adversaries. In- 
deed, USCYBERCOM planners, operators, and experts 
are prized for their ability to bring partners together to 
conceptualize and execute operations like those that 
had significant effects over the last year in deterring 
and denying our adversaries' cyber designs. 

But even when everyone desires to work together, 
there will inevitably be seams and overlaps of conflict- 
ing intents for shared resources. For example, how are 
the interests of public and private interests weighed in 
the selection of targets for intelligence collection and 
possible attack? Rogers addressed this exact question 
during his March 2014 senate testimony: 

The Tri-lateral Memorandum of Agreement contains a 
deconfliction mechanism involving DoD, DoJ [Depart- 
ment of Justice], the Intelligence community and agen- 
cies outlined in, and reinforced by PPD [Presidential 
Policy Directive] -20. Disagreements are handled simi- 
lar to those internal to DoD; the issue is forwarded 
from the Seniors involved to the Deputies then on to 
the Principals Committee with the final stop being the 
President in cases where equities/ gain-loss are ulti- 
mately resolved.^*'' 
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Industry and Commercial. 


Even if the complexities and challenges of coordi- 
nating separate federal functions toward a common 
goal are fully resolved, this may not be sufficient. In 
many cases, the evaluation of cyberspace incidents 
and any consideration of possible military responses 
should expand from a whole-of-government approach 
to a whole-of-nation approach. This principle was ar- 
ticulated in the White House 2009 Cyber Policy Review. 

The private sector, however, designs, builds, owns, 
and operates most of the digital infrastructures that 
support government and private users alike. The Unit- 
ed States needs a comprehensive framework to ensure 
a coordinated response by the Federal, State, local, 
and tribal governments, the private sector, and inter- 
national allies to significant incidents. Implementation 
of this framework will require developing reporting 
thresholds, adaptable response and recovery plans, 
and the necessary coordination, information sharing, 
and incident reporting mechanisms needed for those 
plans to succeed. The government, working with key 
stakeholders, should design an effective mechanism 
to achieve a true common operating picture that in- 
tegrates information from the government and the 
private sector and serves as the basis for informed and 
prioritized vulnerability mitigation efforts and inci- 
dent response decisions.^*^ 

However, this more holistic practice may intro- 
duce additional areas of overlapping responsibility. 
For example, one of the unresolved questions in Koh's 
presentation to U.S. Cyber Command centered on how 
the United States should treat dual-use infrastructure 
in cyberspace: 


Parties to an armed conflict will need to assess the po- 
tential effects of a cyber attack on computers that are 
not military objectives, such as private, civilian com- 
puters that hold no military significance, but may be 
networked to computers that are valid military objec- 
tives. Parties will also need to consider the harm to the 
civilian uses of such infrastructure in performing the 
necessary proportionality review. 


Under the National Cyber Incident Response Plan 
framework, DoD is assigned to assist protection ef- 
forts for the Defense Industrial Base as well as pri- 
vate sector critical infrastructure and key resources."^ 
In his March 2014 congressional testimony, Rogers 
provided further details regarding the government's 
expectations of private sector effort to defend them- 
selves in cyberspace: 


I believe that mission assurance and the protection 
of our critical infrastructure is an inherent obligation 
of all, not just DoD, DHS, DOJ/FBI and our govern- 
ment. In many cases, mission assurance relies on the 
provision, management, or facilitation of critical infra- 
structure lies in the private sector. Defensive measures 
could include not just automated capabilities to pre- 
vent or respond, but also adherence to proper stan- 
dards of network security, administration, sharing of 
threat and vulnerability information, and compliance. 
These are as critical to protection of infrastructure as 
is military or cyber might. In almost any scenario, col- 
laboration and information sharing across private and 
public, governmental and non-governmental organi- 
zations will be a key to successful outcomes.^^" 

Of course, this expectation of corporate self-de- 
fense may lead to some interesting situations. For ex- 
ample, what is the limit to which an industry entity 
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may go to stop an ongoing or imminent criminal act in 
their networks? Will they be allowed to legally "hack 
back" at the criminals? The concept of privateering has 
reemerged as a possible, if not pragmatic, part of the 
national effort. In theory, entrepreneurial cyberspace 
experts would be issued the equivalent of a letter of 
marque that would serve as a government license for 
them to attack and capture cyber criminals considered 
to be enemies of the issuing nation. Cyberspace re- 
searcher Michael Tanji noted potential benefits as well 
as pitfalls to incorporating this: 

Privateering is arguably the most economical, techni- 
cally feasible and historically relevant approach to the 
problem. Despite serious legal hurdles, privateering 
is precedence, and where is precedence valued more 
than in the law? 

Privateering would require a strong, independent 
and transparent mechanism for validating activity 
since the potential for abuse would be strong. There is 
no shortage of events that could potentially qualify for 
privateer action, so much so that there will probably 
be a temptation over time to make the language in let- 
ters more ambiguous or to issue a "blanket" letter that 
takes responsibility for deciding when to act out of the 
hands of the government.^^^ 

Private Citizens. 

Similar in concept to the "hack back" dilemma for 
corporations is the emerging trend of "patriot hack- 
ing" for individuals. This concept is explored in a NA- 
TO-sponsored book on international cyber incidents: 


"Patriot hacking" (or "patriotic hacking") is a term 
that reflects citizen involvement with hacking or cyber 
attacking the systems of a perceived adversary (e.g. 
another government or nation). 

Patriot hacking is often used as a response against a 
country's political decision that the country where the 
particular hacker or group of hackers originates from 
openly or presumably disapproves. As such, patriot 
hacking is performed by a group of people who take 
action "pro patria" [for one's country] in cases where 
they believe that this is the right thing for their gov- 
ernment to do or where they perceive the government 
as unable to do "the right thing."i^^ 

There are also cases where computers located in 
the United States have been used as part of robot net- 
works (botnets) in attacks. For example, recall that the 
landmark denial of service attacks on Estonia in 2007 
involved computers from 178 countries. Participa- 
tion in botnets by private citizens may be willing (e.g., 
part of Anonymous) or unwilling (e.g., computer con- 
trolled by malware). In either case, there is still on- 
going debate internationally with regard to what re- 
sponsibilities sovereign countries have for controlling 
these types of cyberspace deeds within their boundar- 
ies. While there is no clear way ahead for these issues, 
it is clear that they require collaborative work between 
the public and private sectors, and that this combined 
effort must protect the privacy of all citizens. Rogers 
has reiterated this priority: 

The nature of malicious cyber activity against our na- 
tion's networks has become a matter of such concern 
that legislation to enable real-time cyber threat infor- 
mation sharing is vital to protecting our national and 
economic security. Incremental steps such as legisla- 


tion that addresses only private sector sharing would 
have limited effectiveness, because no single public 
or private entity has all the necessary authorities, 
resources, or capabilities to respond to or prevent a 
serious cyber attack. Therefore, we must find a way 
to share the unique insights held by both government 
and the private sector. At the same time, legislation 
must help construct a trust-based community where 
two-way, real-time sharing of cyber threat informa- 
tion is done consistent with protections of U.S. person 
privacy and civil liberties. 


Options, Risks, and Potential Consequences. 

When complex analyses are performed in time- 
critical situations with potentially dire consequences, 
it may be possible to get lost in the details and lose 
sight of the overall objective. Thus, it is prudent to 
integrate sanity checks as options are developed to 
support both the assessment of cyberspace incidents 
as well as any responses they might entail. The tra- 
ditional framework of considering the feasibility, ac- 
ceptability, and suitability of proposed courses of ac- 
tions could serve this purpose well. 

To provide simplicity and clarity to the distinction 
of cyberspace events, it may be tempting to identify 
and communicate specific actions to other countries 
that would serve as clear "triggers" or "red lines" to 
authenticate an attack as well as the U.S. response that 
it merits. As argued here, the complex and dynamic 
nature of cyberspace is beyond that of traditional 
domains, and therefore any preconceived evaluation 
runs the risk of being obsolete before it is implement- 
ed. Certainly, this presents challenges to the tradition- 
al planner mindset of having an off-the-shelf solution 
available, but such a tenet serves perhaps the greater 
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need of maintaining flexibility of action. Also, defining 
clear "no go" lines for potential adversaries provides 
a de facto approved operational envelope that may not 
be advantageous for long-term security. 

Some of these triggers may already be in place un- 
knowingly in the form of delegated authorities and 
automated cyber defense (ACD) mechanisms at the 
tactical level (e.g., antivirus software). The Depart- 
ment of Defense Strategy for Operating in Cyberspace in- 
dicates that ACD is an integral part of military cyber 
operations: 

Active cyber defense is DoD's synchronized, real-time 
capability to discover, detect, analyze, and mitigate 
threats and vulnerabilities. It builds on traditional ap- 
proaches to defending DoD networks and systems, 
supplementing best practices with new operating 
concepts. It operates at network speed by using sen- 
sors, software, and intelligence to detect and stop ma- 
licious activity before it can affect DoD networks and 
systems.^^^ 

Alexander stated in February 2014 that similar 
procedures are integrated in national event responses: 

This regularly exercised capability will help ensure 
that a cyber incident of national significance can elicit a 
fast and effective response at the right decisionmaking 
level, to include pre-designated authorities and self- 
defense actions where necessary and appropriate.^^*^ 

Surely such measures can contribute to a neater 
and more expedient process— but will the results 
match the designers' expectations and the users' 
needs? How will unintended nth-order effects — the 
emergent cases from the interactions of a complex 
adaptive system— be presented to and considered by 
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decisionmakers? Fortunately, the significance of this 
concern is addressed in another of the unresolved 
questions posed by Koh: 


How can a use of force regime take into account all 
of the novel kinds of effects that states can produce 
through the click of a button? ... As you all know, 
however, there are other types of cyber actions that do 
not have a clear kinetic parallel, which raise profound 
questions about exactly what we mean by "force."^^^ 

Ironically, it is a necessary paradox that one must 
give up tactical control of operations in cyberspace 
that are beyond human comprehension in order to 
gain control — or at least perceived control — over 
broader capabilities facilitated by vast collectives like 
the Internet. Yet, the implementation of autonomous 
functions should be evaluated with critical skepticism 
to avoid the extreme possibility of initiating a series 
of events that synchronize with similar systems of an 
adversary. In the worst case, mutual escalation could 
culminate in a "decisionless war" fought with mul- 
tiple salvos in cyberspace occurring in the millisec- 
onds it takes for military operators to comprehend the 
changed icon on their computer screen. 

The serious nature of these implications may be 
exacerbated if cyberspace operations are more for- 
mally integrated into our nation's strategic deterrence 
framework. A January 2013 Defense Science Board 
study examined potential mutually supporting roles 
of global conventional strike forces, nuclear forces, 
and offensive cyberspace forces. The board posited 
that the rise of nations which may pose a strategic 
cyber threat to the United States warrants incorpora- 
tion of "cyber survivable strike capability" into U.S. 
strategic forces: 
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To provide a non-nuclear but cyber survivable escala- 
tion ladder between conventional conflict and the nu- 
clear threshold — that is to increase stability and build 
a new sub-nuclear red line in this emerging era of a cy- 
ber peer competitor delivering a catastrophic attack.^^^ 

Perhaps such extrapolation may be viewed as 
alarmist in nature and one would certainly hope that 
events like these never manifest. Still, as a trite truism 
observes, "hope is not a strategy," and the best way 
to avoid future calamity is to actively and prudently 
investigate and mitigate the circumstances that may 
catalyze them. 

RECOMMENDATIONS 

This monograph addresses many topics relevant 
to the challenge of distinguishing acts of war in cyber- 
space. For improving the existing processes involved 
in this continuing endeavor, it recommends the fol- 
lowing actions be incorporated: 

• In assessing cyberspace incidents, embrace the 
full context and consequences as well as legal 
and technical criteria. Consider using the meth- 
odology depicted in Figure 3 as a starting point 
to build upon. 

• Adopt a commons paradigm of cyberspace for 
any operations above the tactical level to fully 
embrace the full scope of operations on any 
global network (such as the Internet). 

• Expand the military cyber operational spec- 
trum to delineate the ultra-tactical realm — that 
is, actions that occur below the threshold of hu- 
man comprehension. Incorporate the dynamics 
of complex adaptive systems with emergence 
into any modeling of this realm. 
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• Adopt future-facing paradigms to evaluate cy- 
berspace assessment challenges in a proactive 
matter — that is, go beyond precedent-based le- 
gal and technical analysis and consider innova- 
tions that may be adopted by potential allies or 
aggressors. 

• Assess where biases may be in the design and 
implementation of assessment mechanisms 
and methodologies. This should include exami- 
nation of biases in information gathering and 
incident reporting. 

• Study potential extreme implications for auto- 
mated cyber defense, especially as it may relate 
to conflict escalation as well as the replacement 
of any decisionmaker cognitive processes. 

• Examine how preemptive defense measures 
allowable under international law may apply 
in cyberspace as well as their potential benefits 
and risks. 

CONCLUDING REMARKS 

Determining an act of war is not a. fait accompli in the 
traditional domains. In fact, it often involves sophisti- 
cated interactions of many factors that may be outside 
the control of the parties involved; the dynamic and 
complex nature of cyberspace makes such a task even 
more difficult. The result of the combined aspects of 
speed, perception limitation, and system complexity 
may have far-reaching implications for the reliability 
of information presented to support decisionmaking 
in the cyberspace domain. While military planners 
and operators may deem it advantageous to view 
cyberspace as an operational domain, diverse policy 
considerations indicate that decisionmakers may have 
more success using a commons paradigm. 
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Providing the best analysis and advice to decision- 
makers for the discrimination of hostile actions in cy- 
berspace activities requires consideration of the "what 
next" implications, thus it is important to consider 
possible responses and their implications up front in 
the process. Accordingly, it may be prudent to exer- 
cise caution in developing and implementing decision 
criteria (e.g., red lines) that are too explicit (or auto- 
mated). We must also expect and accept that other 
nations may reasonably apply the criteria we develop 
to our own actions in cyberspace. Such determination 
should not be the exclusive purview of the legal, infor- 
mation technology, or intelligence communities. 

But in addition to the technical, legal, and bureau- 
cratic difficulties facing decisionmakers as they try to 
visualize the infinitely intricate composition of cyber- 
space is that these efforts may be hampered by the lack 
of a thoughtful and forward-thinking U.S. grand strat- 
egy. Perhaps we can learn lessons from the relatively 
new domain of space. In the heydays of the 1960s, 
there were vast amounts of resources poured into hu- 
man space flight programs, all without a clear concept 
of how such space operations fit into national secu- 
rity, let alone into long-term national strategies. One 
can argue that the end result was the slow devolution 
from the U.S. victory in the moon race to the ironic po- 
sition 5 decades later where U.S. astronauts must use 
Russian rockets to reach the International Space Sta- 
tion. In the end, one might observe that strategy-wise, 
the United States plays checkers, Russia plays chess, 
and China plays go. Perhaps it is time to up our game. 
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APPENDIX 1 
APPLICABLE UNITED NATION CHARTER 
AND NORTH ATLANTIC TREATY ARTICLES 

U.N. CHARTER ARTICLE 2. 

The Organization and its Members, in pursuit of 
the Purposes stated in Article 1, shall act in accordance 
with the following Principles. 

1. The Organization is based on the principle of the 
sovereign equality of all its Members. 

2. All Members, in order to ensure to all of them 
the rights and benefits resulting from membership, 
shall fulfill in good faith the obligations assumed by 
them in accordance with the present Charter. 

3. All Members shall settle their international dis- 
putes by peaceful means in such a manner that inter- 
national peace and security, and justice, are not en- 
dangered. 

4. All Members shall refrain in their international 
relations from the threat or use of force against the ter- 
ritorial integrity or political independence of any state, 
or in any other manner inconsistent with the Purposes 
of the United Nations. 

5. All Members shall give the United Nations ev- 
ery assistance in any action it takes in accordance with 
the present Charter, and shall refrain from giving as- 
sistance to any state against which the United Nations 
is taking preventive or enforcement action. 

6. The Organization shall ensure that states which 
are not Members of the United Nations act in accor- 
dance with these Principles so far as may be neces- 
sary for the maintenance of international peace and 
security. 
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7. Nothing contained in the present Charter shall 
authorize the United Nations to intervene in matters 
which are essentially within the domestic jurisdiction 
of any state or shall require the Members to submit 
such matters to settlement under the present Charter; 
but this principle shall not prejudice the application of 
enforcement measures under Chapter Vll. 

U.N. CHARTER ARTICLE 25. 

The Members of the United Nations agree to accept 
and carry out the decisions of the Security Council in 
accordance with the present Charter. 

U.N. CHARTER ARTICLE 39. 

The Security Council shall determine the existence 
of any threat to the peace, breach of the peace, or act of 
aggression and shall make recommendations, or de- 
cide what measures shall be taken in accordance with 
Articles 41 and 42, to maintain or restore international 
peace and security. 

U.N. CHARTER ARTICLE 41. 

The Security Council may decide what measures 
not involving the use of armed force are to be em- 
ployed to give effect to its decisions, and it may call 
upon the Members of the United Nations to apply 
such measures. These may include complete or partial 
interruption of economic relations and of rail, sea, air, 
postal, telegraphic, radio, and other means of commu- 
nication, and the severance of diplomatic relations. 
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U.N. CHARTER ARTICLE 42. 


Should the Security Council consider that mea- 
sures provided for in Article 41 would be inadequate 
or have proved to be inadequate, it may take such ac- 
tion by air, sea, or land forces as may be necessary to 
maintain or restore international peace and security. 
Such action may include demonstrations, blockade, 
and other operations by air, sea, or land forces of 
Members of the United Nations. 

U.N. CHARTER ARTICLE 51. 

Nothing in the present Charter shall impair the 
inherent right of individual or collective self-defence 
if an armed attack occurs against a Member of the 
United Nations, until the Security Council has taken 
measures necessary to maintain international peace 
and security. Measures taken by Members in the exer- 
cise of this right of self-defence shall be immediately 
reported to the Security Council and shall not in any 
way affect the authority and responsibility of the Se- 
curity Council under the present Charter to take at 
any time such action as it deems necessary in order to 
maintain or restore international peace and security. 

NATO ARTICLE 4 

The Parties will consult together whenever, in the 
opinion of any of them, the territorial integrity, po- 
litical independence or security of any of the Parties 
is threatened. 
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NATO ARTICLE 5 


The Parties agree that an armed attack against one 
or more of them in Europe or North America shall be 
considered an attack against them all and consequent- 
ly they agree that, if such an armed attack occurs, 
each of them, in exercise of the right of individual or 
collective self-defence recognised by Article 51 of the 
Charter of the United Nations, will assist the Party or 
Parties so attacked by taking forthwith, individually 
and in concert with the other Parties, such action as it 
deems necessary, including the use of armed force, to 
restore and maintain the security of the North Atlantic 
area. Any such armed attack and all measures taken as 
a result thereof shall immediately be reported to the 
Security Council. Such measures shall be terminated 
when the Security Council has taken the measures 
necessary to restore and maintain international peace 
and security. 
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APPENDIX 2 
TALLINN MANUAL CRITERIA 


Rule 11 - Definition of Use of Force 

A cyber operation constitutes a use of force when 
its scale and effects are comparable to non-cyber op- 
erations rising to the level of a use of force. 

Proposed factors that influence State assessment of 
potential use of force (not formal legal criteria) 

(a) Severity: How many people were killed? How 
large an area was attacked? How much dam- 
age was done within this area? 

(b) Immediacy: How soon were the effects of the 
cyber operation felt? How quickly did its ef- 
fects abate? 

(c) Directness: Was the action the proximate cause 
of the effects? Were there contributing causes 
giving rise to those effects? 

(d) Invasiveness: Did the action involve penetrat- 
ing a cyber network intended to be secure? 
Was the locus of the action within the target 
country? 

(e) Measurability of effects: How can the effects 
of the action be quantified? Are the effects of 
the action distinct from the results of parallel or 
competing actions? How certain is the calcula- 
tion of the effects? 

(f) Military character: Did the military conduct 
the cyber operation? Were the armed forces the 
target of the cyber operation? 

(g) State involvement: Is the State directly or indi- 
rectly involved in the act in question? But for 
the acting State's sake, would the action have 
occurred? 
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(h) Presumptive legality: Has this category of ac- 
tion been generally characterized as a use of 
force, or characterized as one that is not? Are 
the means qualitatively similar to others pre- 
sumed legitimate under international law? 
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